From 1c456912a13835c29e810379dfc36e2773baf895 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 27 Sep 2023 13:15:15 +1300 Subject: [PATCH] =?utf8?q?s4:kdc:=20Add=20=E2=80=98samba=5Fkdc=5Fentry=5Fp?= =?utf8?q?ac=E2=80=99=20wrapper=20type?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit With embedded Heimdal, we can mark a PAC as being trusted (i.e. not issued by an RODC). This is convenient, as it saves us needing to carry that information in flags, hoping it isn’t inadvertently lost. System Heimdal and MIT Kerberos, however, don’t provide a way to mark a PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that contains this extra information if ‘krb5_const_pac’ doesn’t contain it already. As it also stores a pointer to the client entry, the structure’s lifetime must therefore be carefully managed. Finally, it keeps track of whether the PAC came across a trust, to know which is useful in some circumstances. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- source4/kdc/pac-glue.c | 44 ++++++++++++++++++++++++++++++++++++++++++ source4/kdc/pac-glue.h | 28 +++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 4fb0f3f5d2b..5c7f03ab7bf 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -854,6 +854,50 @@ NTSTATUS samba_kdc_add_compounded_auth(enum samba_compounded_auth compounded_aut return NT_STATUS_INVALID_PARAMETER; } +/* + * Return true if this entry has an associated PAC issued or signed by a KDC + * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any + * RODC krbtgt besides ourselves. + */ +bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac) +{ + if (pac.pac == NULL) { + return false; + } + +#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */ + return krb5_pac_is_trusted(pac.pac); +#else /* MIT */ + return pac.pac_is_trusted; +#endif /* HAVE_KRB5_PAC_IS_TRUSTED */ +} + +#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */ +struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac, + struct samba_kdc_entry *entry, + bool is_from_trust) +{ + return (struct samba_kdc_entry_pac) { + .entry = entry, + .pac = pac, + .is_from_trust = is_from_trust, + }; +} +#else /* MIT */ +struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, + struct samba_kdc_entry *entry, + bool is_from_trust, + bool is_trusted) +{ + return (struct samba_kdc_entry_pac) { + .entry = entry, + .pac = pac, + .is_from_trust = is_from_trust, + .pac_is_trusted = is_trusted, + }; +} +#endif /* HAVE_KRB5_PAC_IS_TRUSTED */ + /* * Look up the user's info in the database and create a auth_user_info_dc * structure. If the resulting structure is not talloc_free()d, it will be diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index fcef7c3d7f1..e52a6711a9a 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -31,6 +31,7 @@ #include "libcli/util/werror.h" #include "librpc/gen_ndr/auth.h" #include "kdc/samba_kdc.h" +#include "lib/krb5_wrap/krb5_samba.h" enum samba_asserted_identity { SAMBA_ASSERTED_IDENTITY_IGNORE = 0, @@ -56,6 +57,33 @@ enum { SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED = 0x00000040, }; +struct samba_kdc_entry_pac { + struct samba_kdc_entry *entry; + krb5_const_pac pac; /* NULL indicates that no PAC is present. */ + bool is_from_trust : 1; +#ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */ + bool pac_is_trusted : 1; +#endif /* HAVE_KRB5_PAC_IS_TRUSTED */ +}; + +/* + * Return true if this entry has an associated PAC issued or signed by a KDC + * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any + * RODC krbtgt besides ourselves. + */ +bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac); + +#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */ +struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac, + struct samba_kdc_entry *entry, + bool is_from_trust); +#else /* MIT */ +struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, + struct samba_kdc_entry *entry, + bool is_from_trust, + bool is_trusted); +#endif /* HAVE_KRB5_PAC_IS_TRUSTED */ + krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context, const krb5_keyblock *pkreplykey, const DATA_BLOB *cred_ndr_blob, -- 2.47.3