sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers

Browse Source 
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.

Tested against Windows 2019

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2021-10-18 16:00:45 +13:00 committed by Stefan Metzmacher
parent 92e8ce18a7
commit 031a828764
2 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/knownfail_heimdal_kdc
View File

@ -87,7 +87,3 @@
# KRB5KRB_ERR_RESPONSE_TOO_BIG in this specific case
#
^samba4.krb5.kdc with machine account.as-req-pac-request.fl2000dc:local
#
# TGS tests
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required

38
source4/kdc/wdc-samba4.c
View File

@ -105,13 +105,15 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
krb5_pac *pac,
krb5_cksumtype ctype)
{
struct samba_kdc_entry *p =
struct samba_kdc_entry *server_skdc_entry =
talloc_get_type_abort(server->ctx,
struct samba_kdc_entry);
struct samba_kdc_entry *krbtgt_skdc_entry =
talloc_get_type_abort(krbtgt->ctx,
struct samba_kdc_entry);
TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac2 context");
TALLOC_CTX *mem_ctx = talloc_named(server_skdc_entry,
0,
"samba_kdc_reget_pac2 context");
krb5_pac new_pac = NULL;
DATA_BLOB *pac_blob = NULL;
DATA_BLOB *upn_blob = NULL;
@ -135,12 +137,6 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
return ENOMEM;
}
/* The user account may be set not to want the PAC */
if (!samba_princ_needs_pac(p)) {
talloc_free(mem_ctx);
return EINVAL;
}
/* If the krbtgt was generated by an RODC, and we are not that
* RODC, then we need to regenerate the PAC - we can't trust
* it */
@ -373,12 +369,28 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
return EINVAL;
}
/* Build an updated PAC */
/*
* The server account may be set not to want the PAC.
*
* While this is wasteful if the above cacluations were done
* and now thrown away, this is cleaner as we do any ticket
* signature checking etc always.
*
* UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the
* time (eg not accepting a ticket from the RODC) we do not
* need to re-generate anything anyway.
*/
if (!samba_princ_needs_pac(server_skdc_entry)) {
ret = 0;
new_pac = NULL;
goto out;
}
/* Otherwise build an updated PAC */
ret = krb5_pac_init(context, &new_pac);
if (ret != 0) {
SAFE_FREE(types);
talloc_free(mem_ctx);
return ret;
new_pac = NULL;
goto out;
}
for (i = 0;;) {
@ -496,6 +508,8 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
}
}
out:
SAFE_FREE(types);
/* We now replace the pac */