2025-02-25 17:57:42 +03:00 · 2023-05-04 15:06:40 +12:00 · 2023-05-04 15:06:40 +12:00 · 1fdff37105
commit 1fdff37105
parent f1212ffe4e
4 changed files with 51 additions and 2 deletions
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@ -64,12 +64,23 @@
 	/* Needed for RODC rule processing */	\
 	"msDS-KrbTgtLinkBL"

+#define AUTHN_POLICY_ATTRS                     \
+	/* Required for authentication policies / silos */ \
+	"msDS-AssignedAuthNPolicy",             \
+	"msDS-AssignedAuthNPolicySilo"
+
 const char *krbtgt_attrs[] = {
+	/*
+	 * Authentication policies will not be enforced on the TGS
+	 * account. Don’t include the relevant attributes in the account search.
+	 */
 	KRBTGT_ATTRS, NULL
 };

 const char *server_attrs[] = {
-	KRBTGT_ATTRS, NULL
+	KRBTGT_ATTRS,
+	AUTHN_POLICY_ATTRS,
+	NULL
 };

 const char *user_attrs[] = {
@ -82,6 +93,7 @@ const char *user_attrs[] = {
 	"msDS-ResultantPSO",

 	KRBTGT_ATTRS,
+	AUTHN_POLICY_ATTRS,

 	"logonHours",

--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@ -34,6 +34,7 @@
 #include "../lib/crypto/md4.h"
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
+#include "kdc/authn_policy_util.h"
 #include "kdc/sdb.h"
 #include "kdc/samba_kdc.h"
 #include "kdc/db-glue.h"
@ -1089,6 +1090,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		ENC_ALL_TYPES;
 	const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);

+	const struct authn_kerberos_client_policy *authn_client_policy = NULL;
+	const struct authn_server_policy *authn_server_policy = NULL;
+
 	ZERO_STRUCTP(entry);

 	if (supported_enctypes == 0) {
@ -1392,6 +1396,34 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,

 	*entry->max_renew = kdc_db_ctx->policy.renewal_lifetime;

+	/*
+	 * A principal acting as a client that is not being looked up as the
+	 * principal of an armor ticket may have an authentication policy apply
+	 * to it.
+	 */
+	if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT &&
+	    (flags & SDB_F_FOR_AS_REQ) &&
+	    !(flags & SDB_F_ARMOR_PRINCIPAL))
+	{
+		ret = authn_policy_kerberos_client(kdc_db_ctx->samdb, mem_ctx, msg,
+						   &authn_client_policy);
+		if (ret) {
+			goto out;
+		}
+	}
+
+	/*
+	 * A principal acting as a server may have an authentication policy
+	 * apply to it.
+	 */
+	if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+		ret = authn_policy_server(kdc_db_ctx->samdb, mem_ctx, msg,
+					  &authn_server_policy);
+		if (ret) {
+			goto out;
+		}
+	}
+
 	if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) {
 		int result;
 		const struct auth_user_info_dc *user_info_dc = NULL;
@ -1628,6 +1660,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	p->msg = talloc_steal(p, msg);
 	p->supported_enctypes = pa_supported_enctypes;

+	p->client_policy = talloc_steal(p, authn_client_policy);
+	p->server_policy = talloc_steal(p, authn_server_policy);
+
 out:
 	if (ret != 0) {
 		/* This doesn't free ent itself, that is for the eventual caller to do */
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@ -63,6 +63,8 @@ struct samba_kdc_entry {
 	struct ldb_message *msg;
 	struct ldb_dn *realm_dn;
 	struct auth_user_info_dc *user_info_dc;
+	const struct authn_kerberos_client_policy *client_policy;
+	const struct authn_server_policy *server_policy;
 	bool is_krbtgt;
 	bool is_rodc;
 	bool is_trust;
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@ -135,7 +135,7 @@ bld.SAMBA_LIBRARY('pac',

 bld.SAMBA_LIBRARY('db-glue',
 	source='db-glue.c',
-	deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE',
+	deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE authn_policy_util',
 	private_library=True,
 	)