mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224
This commit is contained in:
parent
d209cdf4f0
commit
4c291514a9
@ -125,8 +125,6 @@
|
|||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
|
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
|
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
|
||||||
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
|
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
|
||||||
|
@ -642,14 +642,6 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
|
|||||||
if (pac_kdc_signature_rodc_id != header_ticket_rodc_id) {
|
if (pac_kdc_signature_rodc_id != header_ticket_rodc_id) {
|
||||||
struct sdb_entry signing_krbtgt_sdb;
|
struct sdb_entry signing_krbtgt_sdb;
|
||||||
|
|
||||||
/*
|
|
||||||
* If we didn't sign the ticket, then return an
|
|
||||||
* error.
|
|
||||||
*/
|
|
||||||
if (pac_kdc_signature_rodc_id != 0) {
|
|
||||||
return KRB5KRB_AP_ERR_MODIFIED;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Fetch our key from the database. To support
|
* Fetch our key from the database. To support
|
||||||
* key rollover, we're going to need to try
|
* key rollover, we're going to need to try
|
||||||
@ -659,8 +651,8 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
|
|||||||
ret = samba_kdc_fetch(context,
|
ret = samba_kdc_fetch(context,
|
||||||
krbtgt_skdc_entry->kdc_db_ctx,
|
krbtgt_skdc_entry->kdc_db_ctx,
|
||||||
krbtgt->principal,
|
krbtgt->principal,
|
||||||
SDB_F_GET_KRBTGT | SDB_F_CANON,
|
SDB_F_GET_KRBTGT | SDB_F_RODC_NUMBER_SPECIFIED | SDB_F_CANON,
|
||||||
0,
|
((uint32_t)pac_kdc_signature_rodc_id) << 16,
|
||||||
&signing_krbtgt_sdb);
|
&signing_krbtgt_sdb);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
|
Loading…
Reference in New Issue
Block a user