From 4b19a707f2ac78ee7ce45ec93c47edaca9d94e47 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 10 Oct 2023 15:41:40 +1300
Subject: [PATCH] s4:kdc: Use claims to evaluate RBCD conditions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/hdb-samba4.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 33b758f7490..7d80358c889 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -335,6 +335,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 	const struct auth_user_info_dc *client_info = NULL;
 	const struct auth_user_info_dc *device_info = NULL;
 	struct samba_kdc_entry_pac client_pac_entry = {};
+	struct auth_claims auth_claims = {};
 	TALLOC_CTX *mem_ctx = NULL;
 	krb5_error_code code;
 
@@ -366,6 +367,15 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 		goto out;
 	}
 
+	code = samba_kdc_get_claims_data(mem_ctx,
+					 context,
+					 kdc_db_ctx->samdb,
+					 client_pac_entry,
+					 &auth_claims.user_claims);
+	if (code) {
+		goto out;
+	}
+
 	if (device != NULL) {
 		struct samba_kdc_entry *device_skdc_entry = NULL;
 		const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
@@ -392,6 +402,15 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 		if (code) {
 			goto out;
 		}
+
+		code = samba_kdc_get_claims_data(mem_ctx,
+						 context,
+						 kdc_db_ctx->samdb,
+						 device_pac_entry,
+						 &auth_claims.device_claims);
+		if (code) {
+			goto out;
+		}
 	}
 
 	code = samba_kdc_check_s4u2proxy_rbcd(context,
@@ -400,7 +419,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 					      server_principal,
 					      client_info,
 					      device_info,
-					      (struct auth_claims) {},
+					      auth_claims,
 					      proxy_skdc_entry);
 out:
 	talloc_free(mem_ctx);
-- 
2.47.3