1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-10-30 15:12:34 +13:00 committed by Andrew Bartlett
parent 915b40521e
commit b0da50b5b0
2 changed files with 72 additions and 16 deletions

View File

@ -125,16 +125,7 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_compound_authentication_from_rodc\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$

View File

@ -1161,6 +1161,60 @@ krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
return 0;
}
/*
* Check whether a PAC contains the Authentication Authority Asserted Identity
* SID.
*/
static krb5_error_code samba_kdc_pac_contains_asserted_identity(
krb5_context context,
const struct samba_kdc_entry_pac entry,
bool *contains_out)
{
TALLOC_CTX *frame = NULL;
struct auth_user_info_dc *info = NULL;
krb5_error_code ret = 0;
if (contains_out == NULL) {
ret = EINVAL;
goto out;
}
*contains_out = false;
frame = talloc_stackframe();
/*
* Extract our info from the PAC. This does a bit of unnecessary work,
* setting up fields we dont care about we only want the SIDs.
*/
ret = kerberos_pac_to_user_info_dc(frame,
entry.pac,
context,
&info,
AUTH_EXCLUDE_RESOURCE_GROUPS,
NULL /* pac_srv_sig */,
NULL /* pac_kdc_sig */,
/* Ignore the resource groups. */
NULL /* resource_groups */);
if (ret) {
const char *krb5err = krb5_get_error_message(context, ret);
DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
krb5err != NULL ? krb5err : "?");
krb5_free_error_message(context, krb5err);
goto out;
}
/* Determine whether the PAC contains the Asserted Identity SID. */
*contains_out = sid_attrs_contains_sid(
info->sids,
info->num_sids,
&global_sid_Asserted_Identity_Authentication_Authority);
out:
talloc_free(frame);
return ret;
}
static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
@ -1266,6 +1320,7 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
{
const struct auth_user_info_dc *info = NULL;
struct auth_user_info_dc *info_shallow_copy = NULL;
bool pac_contains_asserted_identity = false;
krb5_error_code ret = 0;
NTSTATUS nt_status;
@ -1323,7 +1378,16 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
return map_errno_from_nt_status(nt_status);
}
nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
/* Determine whether the PAC contains the Asserted Identity SID. */
ret = samba_kdc_pac_contains_asserted_identity(
context, entry, &pac_contains_asserted_identity);
if (ret) {
return ret;
}
if (pac_contains_asserted_identity) {
nt_status = samba_kdc_add_asserted_identity(
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
info_shallow_copy);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add asserted identity: %s\n",
@ -1331,6 +1395,7 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
TALLOC_FREE(info_shallow_copy);
return KRB5KDC_ERR_TGT_REVOKED;
}
}
nt_status = samba_kdc_add_claims_valid(info_shallow_copy);
if (!NT_STATUS_IS_OK(nt_status)) {