1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself

samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-10-31 16:14:26 +13:00 committed by Andrew Bartlett
parent f8bfd607ca
commit 0733ea3663
2 changed files with 11 additions and 42 deletions

View File

@ -58,7 +58,6 @@
^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc
^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc
^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc
^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$
#
# Authentication policy tests
#

View File

@ -2178,15 +2178,14 @@ static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx,
static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
struct samba_kdc_entry *device,
const struct samba_kdc_entry_pac device,
DATA_BLOB **device_info_blob)
{
TALLOC_CTX *frame = NULL;
krb5_error_code code = EINVAL;
NTSTATUS nt_status;
const struct auth_user_info_dc *device_info_dc_const = NULL;
struct auth_user_info_dc *device_info_dc_shallow_copy = NULL;
const struct auth_user_info_dc *device_info = NULL;
struct netr_SamInfo3 *info3 = NULL;
struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
@ -2194,14 +2193,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
frame = talloc_stackframe();
code = samba_kdc_get_user_info_from_db(frame,
samdb,
device,
device->msg,
&device_info_dc_const);
code = samba_kdc_get_user_info_dc(frame,
context,
samdb,
device,
&device_info,
NULL /* resource_groups_out */);
if (code) {
const char *krb5_err = krb5_get_error_message(context, code);
DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
krb5_err != NULL ? krb5_err : "<unknown>");
krb5_free_error_message(context, krb5_err);
@ -2209,37 +2209,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
return KRB5KDC_ERR_TGT_REVOKED;
}
/* Make a shallow copy of the user_info_dc structure. */
nt_status = authsam_shallow_copy_user_info_dc(frame,
device_info_dc_const,
&device_info_dc_shallow_copy);
device_info_dc_const = NULL;
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n",
nt_errstr(nt_status));
talloc_free(frame);
return map_errno_from_nt_status(nt_status);
}
nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
device_info_dc_shallow_copy);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add asserted identity: %s\n",
nt_errstr(nt_status));
talloc_free(frame);
return KRB5KDC_ERR_TGT_REVOKED;
}
nt_status = samba_kdc_add_claims_valid(device_info_dc_shallow_copy);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
talloc_free(frame);
return KRB5KDC_ERR_TGT_REVOKED;
}
nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc_shallow_copy,
nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info,
AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
&info3,
&resource_groups);
@ -2586,7 +2556,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
code = samba_kdc_get_device_info_blob(tmp_ctx,
context,
samdb,
device.entry,
device,
&device_info_blob);
if (code != 0) {
goto done;