s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type

With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/pac-glue.c

@@ -854,6 +854,50 @@ NTSTATUS samba_kdc_add_compounded_auth(enum samba_compounded_auth compounded_aut
 	return NT_STATUS_INVALID_PARAMETER;
 }
 
+/*
+ * Return true if this entry has an associated PAC issued or signed by a KDC
+ * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any
+ * RODC krbtgt besides ourselves.
+ */
+bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac)
+{
+	if (pac.pac == NULL) {
+		return false;
+	}
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+	return krb5_pac_is_trusted(pac.pac);
+#else /* MIT */
+	return pac.pac_is_trusted;
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+}
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+					       struct samba_kdc_entry *entry,
+					       bool is_from_trust)
+{
+	return (struct samba_kdc_entry_pac) {
+		.entry = entry,
+		.pac = pac,
+		.is_from_trust = is_from_trust,
+	};
+}
+#else /* MIT */
+struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+							    struct samba_kdc_entry *entry,
+							    bool is_from_trust,
+							    bool is_trusted)
+{
+	return (struct samba_kdc_entry_pac) {
+		.entry = entry,
+		.pac = pac,
+		.is_from_trust = is_from_trust,
+		.pac_is_trusted = is_trusted,
+	};
+}
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+
 /*
  * Look up the user's info in the database and create a auth_user_info_dc
  * structure. If the resulting structure is not talloc_free()d, it will be

source4/kdc/pac-glue.h

@@ -31,6 +31,7 @@
 #include "libcli/util/werror.h"
 #include "librpc/gen_ndr/auth.h"
 #include "kdc/samba_kdc.h"
+#include "lib/krb5_wrap/krb5_samba.h"
 
 enum samba_asserted_identity {
 	SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
@@ -56,6 +57,33 @@ enum {
 	SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED = 0x00000040,
 };
 
+struct samba_kdc_entry_pac {
+	struct samba_kdc_entry *entry;
+	krb5_const_pac pac; /* NULL indicates that no PAC is present. */
+	bool is_from_trust : 1;
+#ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */
+	bool pac_is_trusted : 1;
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+};
+
+/*
+ * Return true if this entry has an associated PAC issued or signed by a KDC
+ * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any
+ * RODC krbtgt besides ourselves.
+ */
+bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac);
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+					       struct samba_kdc_entry *entry,
+					       bool is_from_trust);
+#else /* MIT */
+struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+							    struct samba_kdc_entry *entry,
+							    bool is_from_trust,
+							    bool is_trusted);
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+
 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
 						  const krb5_keyblock *pkreplykey,
 						  const DATA_BLOB *cred_ndr_blob,