From 407a979b983a107a2c58fe6c7d54d5eb341d08f7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 9 Oct 2023 14:19:13 +1300 Subject: [PATCH] s4:kdc: Do not perform compound authentication for services without Compound Identity support Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- selftest/knownfail_heimdal_kdc | 16 ---------------- source4/kdc/pac-glue.c | 3 ++- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index fb42060b98f..39628bca446 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -223,9 +223,6 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_aa_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_claims_valid\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\) @@ -233,19 +230,12 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_aa_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_claims_valid\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_compounded_authentication\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_service_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\) @@ -261,15 +251,9 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_claims_present\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_invalid_no_attrs\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_present\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support\(ad_dc\) # # Conditional ACE device restrictions # ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\) -# -# Tests for services without support for Compound Identity -# -^samba\.tests\.krb5\.claims_tests\.samba\.tests\.krb5\.claims_tests\.ClaimsTests\.test_device_claims_device_to_service_no_compound_id\(ad_dc\)$ -^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_device_to_service_no_compound_id\(ad_dc\)$ diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 0225dd861b6..a4b02f18018 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2463,7 +2463,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED; } - compounded_auth = device.entry != NULL && !is_tgs; + compounded_auth = device.entry != NULL && !is_tgs + && server->supported_enctypes & KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED; if (compounded_auth) { struct claims_data *device_claims = NULL; -- 2.47.3