1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Do not add Claims Valid SID twice

samba_kdc_get_user_info_dc() now adds the SID itself.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-10-31 14:50:12 +13:00 committed by Andrew Bartlett
parent 54eb175816
commit 6760dd48ad

View File

@ -3182,8 +3182,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
TALLOC_CTX *frame = NULL;
krb5_error_code code = 0;
NTSTATUS nt_status;
const struct auth_user_info_dc *device_info_const = NULL;
struct auth_user_info_dc *device_info_shallow_copy = NULL;
const struct auth_user_info_dc *device_info = NULL;
struct authn_audit_info *client_audit_info = NULL;
struct auth_claims auth_claims = {};
@ -3227,39 +3226,12 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
context,
samdb,
device,
&device_info_const,
&device_info,
NULL);
if (code) {
goto out;
}
if (!samba_krb5_pac_is_trusted(device)) {
/* Make a shallow copy of the user_info_dc structure. */
nt_status = authsam_shallow_copy_user_info_dc(frame,
device_info_const,
&device_info_shallow_copy);
device_info_const = NULL;
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to copy user_info_dc: %s\n",
nt_errstr(nt_status));
code = KRB5KDC_ERR_TGT_REVOKED;
goto out;
}
nt_status = samba_kdc_add_claims_valid(device_info_shallow_copy);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
code = KRB5KDC_ERR_TGT_REVOKED;
goto out;
}
/* no more modification required so we can assign to const now */
device_info_const = device_info_shallow_copy;
}
/*
* The device claims become the *user* claims for the purpose of
* evaluating a conditional ACE expression.
@ -3276,7 +3248,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
nt_status = authn_policy_authenticate_from_device(frame,
samdb,
lp_ctx,
device_info_const,
device_info,
auth_claims,
client_policy,
&client_audit_info);