sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

s4:kdc: Update Samba KDC plugin to match new Heimdal version

Browse Source 
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2023-06-20 11:14:50 +12:00 committed by Stefan Metzmacher
parent 95c02a9794
commit 8425ffc8f3
1 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
source4/kdc/wdc-samba4.c
View File

@ -240,7 +240,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
}
static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
const krb5_principal delegated_proxy_principal,
const hdb_entry *delegated_proxy,
const hdb_entry *client,
const hdb_entry *server,
const hdb_entry *krbtgt,
@ -295,7 +295,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
}
if (delegated_proxy_principal != NULL) {
if (delegated_proxy != NULL) {
krb5_enctype etype;
Key *key = NULL;
@ -374,8 +374,9 @@ out:
/* Resign (and reform, including possibly new groups) a PAC */
static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
const krb5_principal _client_principal,
const krb5_principal delegated_proxy_principal,
krb5_const_principal _client_principal,
hdb_entry *delegated_proxy,
krb5_const_pac delegated_proxy_pac,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
@ -384,6 +385,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
krb5_context context = kdc_request_get_context((kdc_request_t)r);
const hdb_entry *device = kdc_request_get_explicit_armor_client(r);
const krb5_const_pac device_pac = kdc_request_get_explicit_armor_pac(r);
krb5_const_principal delegated_proxy_principal = NULL;
struct samba_kdc_entry *client_skdc_entry = NULL;
struct samba_kdc_entry *device_skdc_entry = NULL;
const struct samba_kdc_entry *server_skdc_entry =
@ -402,6 +404,10 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
return ENOMEM;
}
if (delegated_proxy != NULL) {
delegated_proxy_principal = delegated_proxy->principal;
}
if (client != NULL) {
client_skdc_entry = talloc_get_type_abort(client->context,
struct samba_kdc_entry);
@ -477,8 +483,8 @@ out:
/* Verify a PAC's SID and signatures */
static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
krb5_const_principal _client_principal,
hdb_entry *delegated_proxy,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
@ -499,16 +505,15 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
krb5_const_pac explicit_armor_pac =
kdc_request_get_explicit_armor_pac(r);
if (delegated_proxy_principal) {
if (delegated_proxy) {
uint16_t rodc_id;
unsigned int my_krbtgt_number;
/*
* We're using delegated_proxy_principal for the moment to
* indicate cases where the ticket was encrypted with the server
* key, and not a krbtgt key. This cannot be trusted, so we need
* to find a krbtgt key that signs the PAC in order to trust the
* ticket.
* We're using delegated_proxy for the moment to indicate cases
* where the ticket was encrypted with the server key, and not a
* krbtgt key. This cannot be trusted, so we need to find a
* krbtgt key that signs the PAC in order to trust the ticket.
*
* The krbtgt passed in to this function refers to the krbtgt
* used to decrypt the ticket of the server requesting
@ -618,7 +623,7 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
}
ret = samba_wdc_verify_pac2(r,
delegated_proxy_principal,
delegated_proxy,
client,
server,
krbtgt,