mirror of
https://github.com/samba-team/samba.git
synced 2025-01-06 13:18:07 +03:00
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9bd2680485
)
This commit is contained in:
parent
8585333a8e
commit
65bb0e3201
@ -241,15 +241,8 @@
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable
|
||||
#
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
|
||||
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
|
||||
@ -281,11 +274,6 @@
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew
|
||||
|
@ -1776,7 +1776,7 @@ _kdc_as_rep(krb5_context context,
|
||||
|
||||
sent_pac_request = send_pac_p(context, req, &pac_request);
|
||||
|
||||
ret = _kdc_pac_generate(context, client, pk_reply_key,
|
||||
ret = _kdc_pac_generate(context, client, server, pk_reply_key,
|
||||
sent_pac_request ? &pac_request : NULL,
|
||||
&p);
|
||||
if (ret) {
|
||||
|
@ -1848,7 +1848,8 @@ server_lookup:
|
||||
mspac = NULL;
|
||||
}
|
||||
|
||||
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac);
|
||||
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server,
|
||||
NULL, NULL, &mspac);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 0, "PAC generation failed for -- %s",
|
||||
tpn);
|
||||
|
@ -73,6 +73,7 @@ krb5_kdc_windc_init(krb5_context context)
|
||||
krb5_error_code
|
||||
_kdc_pac_generate(krb5_context context,
|
||||
hdb_entry_ex *client,
|
||||
hdb_entry_ex *server,
|
||||
const krb5_keyblock *pk_reply_key,
|
||||
const krb5_boolean *pac_request,
|
||||
krb5_pac *pac)
|
||||
@ -88,9 +89,9 @@ _kdc_pac_generate(krb5_context context,
|
||||
|
||||
if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL)
|
||||
return (windcft->pac_pk_generate)(windcctx, context,
|
||||
client, pk_reply_key,
|
||||
client, server, pk_reply_key,
|
||||
pac_request, pac);
|
||||
return (windcft->pac_generate)(windcctx, context, client,
|
||||
return (windcft->pac_generate)(windcctx, context, client, server,
|
||||
pac_request, pac);
|
||||
}
|
||||
|
||||
|
@ -55,12 +55,14 @@ struct hdb_entry_ex;
|
||||
typedef krb5_error_code
|
||||
(*krb5plugin_windc_pac_generate)(void *, krb5_context,
|
||||
struct hdb_entry_ex *, /* client */
|
||||
struct hdb_entry_ex *, /* server */
|
||||
const krb5_boolean *, /* pac_request */
|
||||
krb5_pac *);
|
||||
|
||||
typedef krb5_error_code
|
||||
(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
|
||||
struct hdb_entry_ex *, /* client */
|
||||
struct hdb_entry_ex *, /* server */
|
||||
const krb5_keyblock *, /* pk_replykey */
|
||||
const krb5_boolean *, /* pac_request */
|
||||
krb5_pac *);
|
||||
|
@ -37,6 +37,7 @@
|
||||
*/
|
||||
static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
|
||||
struct hdb_entry_ex *client,
|
||||
struct hdb_entry_ex *server,
|
||||
const krb5_keyblock *pk_reply_key,
|
||||
const krb5_boolean *pac_request,
|
||||
krb5_pac *pac)
|
||||
@ -55,6 +56,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
|
||||
struct samba_kdc_entry *skdc_entry =
|
||||
talloc_get_type_abort(client->ctx,
|
||||
struct samba_kdc_entry);
|
||||
bool is_krbtgt;
|
||||
|
||||
mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context");
|
||||
if (!mem_ctx) {
|
||||
@ -65,13 +67,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
|
||||
cred_ndr_ptr = &cred_ndr;
|
||||
}
|
||||
|
||||
is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal);
|
||||
|
||||
nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry,
|
||||
&logon_blob,
|
||||
cred_ndr_ptr,
|
||||
&upn_blob,
|
||||
&pac_attrs_blob,
|
||||
is_krbtgt ? &pac_attrs_blob : NULL,
|
||||
pac_request,
|
||||
&requester_sid_blob,
|
||||
is_krbtgt ? &requester_sid_blob : NULL,
|
||||
NULL);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
@ -101,10 +105,11 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
|
||||
|
||||
static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context,
|
||||
struct hdb_entry_ex *client,
|
||||
struct hdb_entry_ex *server,
|
||||
const krb5_boolean *pac_request,
|
||||
krb5_pac *pac)
|
||||
{
|
||||
return samba_wdc_get_pac(priv, context, client, NULL, pac_request, pac);
|
||||
return samba_wdc_get_pac(priv, context, client, server, NULL, pac_request, pac);
|
||||
}
|
||||
|
||||
static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
|
||||
|
Loading…
Reference in New Issue
Block a user