sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-24 13:57:43 +03:00
Code

s4:kdc: move device_{info,claims}_blob generation in samba_kdc_update_pac()

Browse Source 
We should generate the device blobs after generating the client blobs
and also after all access checking.

We also use the samba_kdc_get_claims_blob() helper,
which is currently only a wrapper around
claims_data_encoded_claims_set(), but that will change in future...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Stefan Metzmacher 2025-02-19 14:12:27 +01:00 committed by Ralph Boehme
parent 914533d38f
commit 6cd0297ffe
1 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
source4/kdc/pac-glue.c
View File

@ -2623,8 +2623,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
DATA_BLOB *deleg_blob = NULL;
DATA_BLOB *requester_sid_blob = NULL;
const DATA_BLOB *client_claims_blob = NULL;
DATA_BLOB device_claims_blob = {};
const DATA_BLOB *device_claims_blob_ptr = NULL;
const DATA_BLOB *device_claims_blob = NULL;
struct auth_claims pac_claims = {};
DATA_BLOB *device_info_blob = NULL;
bool is_tgs = false;
@ -2637,6 +2636,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
bool compounded_auth = false;
bool need_device = false;
bool regenerate_client_claims = false;
bool regenerate_device_claims = false;
size_t i = 0;
if (server_audit_info_out != NULL) {
@ -2737,33 +2737,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
kdc_db_ctx,
device,
&pac_claims.device_claims,
NULL); /* _need_regeneration */
&regenerate_device_claims);
if (code) {
goto done;
}
if (compounded_auth) {
nt_status = claims_data_encoded_claims_set(tmp_ctx,
pac_claims.device_claims,
&device_claims_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("claims_data_encoded_claims_set failed: %s\n",
nt_errstr(nt_status));
code = map_errno_from_nt_status(nt_status);
goto done;
}
device_claims_blob_ptr = &device_claims_blob;
code = samba_kdc_get_device_info_blob(tmp_ctx,
context,
kdc_db_ctx,
device_info_dc,
&device_info_blob);
if (code != 0) {
goto done;
}
}
}
if (delegated_proxy_principal != NULL) {
@ -2942,6 +2919,29 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
}
}
if (compounded_auth) {
code = samba_kdc_get_device_info_blob(tmp_ctx,
context,
kdc_db_ctx,
device_info_dc,
&device_info_blob);
if (code != 0) {
goto done;
}
if (regenerate_device_claims) {
nt_status = samba_kdc_get_claims_blob(tmp_ctx,
pac_claims.device_claims,
&device_claims_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("samba_kdc_get_claims_blob() failed: %s\n",
nt_errstr(nt_status));
code = map_errno_from_nt_status(nt_status);
goto done;
}
}
}
/* Check the types of the given PAC */
code = pac_blobs_from_krb5_pac(tmp_ctx,
context,
@ -3012,7 +3012,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
code = pac_blobs_add_blob(pac_blobs,
PAC_TYPE_DEVICE_CLAIMS_INFO,
device_claims_blob_ptr);
device_claims_blob);
if (code != 0) {
goto done;
}