s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID

samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/mit_samba.c

@@ -486,7 +486,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 
 	nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
 					       skdc_entry,
-					       asserted_identity,
+					       SAMBA_ASSERTED_IDENTITY_IGNORE,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
@@ -497,6 +497,15 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		return EINVAL;
 	}
 
+	nt_status = samba_kdc_add_asserted_identity(asserted_identity,
+						    user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add asserted identity: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(tmp_ctx);
+		return EINVAL;
+	}
+
 	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
 					       user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {

source4/kdc/pac-glue.c

@@ -1215,7 +1215,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
 		 */
 		nt_status = samba_kdc_get_user_info_dc(mem_ctx,
 						       skdc_entry,
-						       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+						       SAMBA_ASSERTED_IDENTITY_IGNORE,
 						       &user_info_dc);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -1223,6 +1223,15 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
 			ret = KRB5KDC_ERR_TGT_REVOKED;
 			goto out;
 		}
+
+		nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+							    user_info_dc);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DBG_ERR("Failed to add asserted identity: %s\n",
+				nt_errstr(nt_status));
+			ret = KRB5KDC_ERR_TGT_REVOKED;
+			goto out;
+		}
 	}
 
 	*user_info_dc_out = user_info_dc;
@@ -2016,7 +2025,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
 
 	nt_status = samba_kdc_get_user_info_dc(frame,
 					       device,
-					       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+					       SAMBA_ASSERTED_IDENTITY_IGNORE,
 					       &device_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2025,6 +2034,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
 		return KRB5KDC_ERR_TGT_REVOKED;
 	}
 
+	nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+						    device_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add asserted identity: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(frame);
+		return KRB5KDC_ERR_TGT_REVOKED;
+	}
+
 	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
 					       device_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -2924,7 +2942,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 	} else {
 		nt_status = samba_kdc_get_user_info_dc(frame,
 						       device,
-						       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+						       SAMBA_ASSERTED_IDENTITY_IGNORE,
 						       &device_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2934,6 +2952,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 			goto out;
 		}
 
+		nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+							    device_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DBG_ERR("Failed to add asserted identity: %s\n",
+				nt_errstr(nt_status));
+
+			code = KRB5KDC_ERR_TGT_REVOKED;
+			goto out;
+		}
+
 		nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
 						       device_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {

source4/kdc/wdc-samba4.c

@@ -125,13 +125,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 
 	nt_status = samba_kdc_get_user_info_dc(mem_ctx,
 					       skdc_entry,
-					       asserted_identity,
+					       SAMBA_ASSERTED_IDENTITY_IGNORE,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
 		return map_errno_from_nt_status(nt_status);
 	}
 
+	nt_status = samba_kdc_add_asserted_identity(asserted_identity,
+						    user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add asserted identity: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(mem_ctx);
+		return map_errno_from_nt_status(nt_status);
+	}
+
 	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
 					       user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {