sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users

Browse Source 
If an authentication policy enforces a maximum TGT lifetime for a
Protected User, that limit should stand in place of the four-hour limit
usually applied to Protected Users; we should nevertheless continue to
ensure that forwardable or proxiable tickets are not issued to such
users.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-08-09 10:47:08 +12:00 committed by Andrew Bartlett
parent 7026b08e23
commit 0cf658cd10
3 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
selftest/knownfail_heimdal_kdc
View File

@ -63,7 +63,10 @@
# #
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc #
# This test fails; but that is acceptable, for we have an alternative test
# (test_authn_policy_protected_flags_with_policy_error) that expects to receive
# a policy error.
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
# #
# PK-INIT tests # PK-INIT tests

5
selftest/knownfail_mit_kdc_1_20
View File

@ -72,8 +72,11 @@
# #
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc
#
# This test fails; but that is acceptable, for we have an alternative test
# (test_authn_policy_protected_flags_without_policy_error) that expects to
# receive a policy error.
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
# #
# PK-INIT tests # PK-INIT tests
# #

19
source4/kdc/db-glue.c
View File

@ -1478,17 +1478,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
protected_user = result; protected_user = result;
if (protected_user && enforced_tgt_lifetime_raw == 0) if (protected_user) {
{
/*
* If a TGT lifetime hasnt been set, Protected Users
* enforces a four hour TGT lifetime.
*/
*entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
*entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
entry->flags.forwardable = 0; entry->flags.forwardable = 0;
entry->flags.proxiable = 0; entry->flags.proxiable = 0;
if (enforced_tgt_lifetime_raw == 0) {
/*
* If a TGT lifetime hasnt been set, Protected
* Users enforces a four hour TGT lifetime.
*/
*entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
*entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
}
} }
} }