s4:kdc: let mit_samba_get_pac() use samba_kdc_get_pac()

It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting a PAC

We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

selftest/knownfail_mit_kdc.d/authn-policy

@@ -40,8 +40,6 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_to_self_with_self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_user2user.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req_no_fast.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_from_rodc.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self_with_self.ad_dc
@@ -55,7 +53,6 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow_from_rodc.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_as_req.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_from_rodc.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_derived_class_allow.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow.ad_dc
@@ -75,7 +72,6 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_as_req.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation_to_self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_from_rodc.ad_dc

source4/kdc/mit_samba.c

@@ -448,61 +448,27 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 				  krb5_pac *pac)
 {
 	TALLOC_CTX *tmp_ctx;
-	const struct auth_user_info_dc *user_info_dc = NULL;
-	struct auth_user_info_dc *user_info_dc_shallow_copy = NULL;
-	DATA_BLOB *logon_info_blob = NULL;
-	DATA_BLOB *upn_dns_info_blob = NULL;
-	DATA_BLOB *cred_ndr = NULL;
-	DATA_BLOB **cred_ndr_ptr = NULL;
-	DATA_BLOB cred_blob = data_blob_null;
-	DATA_BLOB *pcred_blob = NULL;
-	DATA_BLOB *pac_attrs_blob = NULL;
-	DATA_BLOB *requester_sid_blob = NULL;
-	const DATA_BLOB *client_claims_blob = NULL;
-	NTSTATUS nt_status;
 	krb5_error_code code;
-	struct samba_kdc_entry *skdc_entry;
+	struct samba_kdc_entry *client_entry = NULL;
 	struct samba_kdc_entry *server_entry = NULL;
-	bool is_krbtgt;
-	/* Only include resource groups in a service ticket. */
-	enum auth_group_inclusion group_inclusion;
-	enum samba_asserted_identity asserted_identity =
-		(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
-			SAMBA_ASSERTED_IDENTITY_SERVICE :
-			SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
+	uint32_t samba_flags = 0;
+	uint64_t pac_attributes = PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY;
 
 	if (client == NULL) {
 		return EINVAL;
 	}
-	skdc_entry = talloc_get_type_abort(client->e_data,
-					   struct samba_kdc_entry);
+	client_entry = talloc_get_type_abort(client->e_data,
+					     struct samba_kdc_entry);
 
        /* This sets the time into the DSDB opaque */
-	*smb_ctx->db_ctx->current_nttime_ull = skdc_entry->current_nttime;
+	*smb_ctx->db_ctx->current_nttime_ull = client_entry->current_nttime;
 
 	if (server == NULL) {
 		return EINVAL;
 	}
-	{
-		int result = smb_krb5_principal_is_tgs(smb_ctx->context, server->princ);
-		if (result == -1) {
-			return ENOMEM;
-		}
-
-		is_krbtgt = result;
-	}
 	server_entry = talloc_get_type_abort(server->e_data,
 					     struct samba_kdc_entry);
 
-	/* Only include resource groups in a service ticket. */
-	if (is_krbtgt) {
-		group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
-	} else if (server_entry->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
-		group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
-	} else {
-		group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
-	}
-
 	tmp_ctx = talloc_named(smb_ctx,
 			       0,
 			       "mit_samba_get_pac context");
@@ -510,133 +476,28 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		return ENOMEM;
 	}
 
-	/* Check if we have a PREAUTH key */
-	if (replaced_reply_key != NULL) {
-		cred_ndr_ptr = &cred_ndr;
+	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+		samba_flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
 	}
 
-	code = samba_kdc_get_user_info_from_db(tmp_ctx,
-					       server_entry->kdc_db_ctx,
-					       skdc_entry,
-					       skdc_entry->msg,
-					       &user_info_dc);
+	code = samba_kdc_get_pac(tmp_ctx,
+				 context,
+				 server_entry->kdc_db_ctx,
+				 samba_flags,
+				 client_entry,
+				 server->princ,
+				 server_entry,
+				 (struct samba_kdc_entry_pac) {} /* device */,
+				 replaced_reply_key,
+				 pac_attributes,
+				 *pac,
+				 NULL /* server_audit_info_out */,
+				 NULL /* status_out */);
 	if (code) {
 		talloc_free(tmp_ctx);
 		return code;
 	}
 
-	/* Make a shallow copy of the user_info_dc structure. */
-	nt_status = authsam_shallow_copy_user_info_dc(tmp_ctx,
-						      user_info_dc,
-						      &user_info_dc_shallow_copy);
-	user_info_dc = NULL;
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DBG_ERR("Failed to allocate shallow copy of user_info_dc: %s\n",
-			nt_errstr(nt_status));
-		talloc_free(tmp_ctx);
-		return map_errno_from_nt_status(nt_status);
-	}
-
-
-	nt_status = samba_kdc_add_asserted_identity(asserted_identity,
-						    user_info_dc_shallow_copy);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DBG_ERR("Failed to add asserted identity: %s\n",
-			nt_errstr(nt_status));
-		talloc_free(tmp_ctx);
-		return EINVAL;
-	}
-
-	nt_status = samba_kdc_add_claims_valid(user_info_dc_shallow_copy);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DBG_ERR("Failed to add Claims Valid: %s\n",
-			nt_errstr(nt_status));
-		talloc_free(tmp_ctx);
-		return EINVAL;
-	}
-
-	/* We no longer need to modify this, so assign to const variable */
-	user_info_dc = user_info_dc_shallow_copy;
-
-	nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
-						  user_info_dc,
-						  group_inclusion,
-						  &logon_info_blob);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
-		return EINVAL;
-	}
-
-	if (cred_ndr_ptr != NULL) {
-		nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx,
-							skdc_entry,
-							cred_ndr_ptr);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(tmp_ctx);
-			return EINVAL;
-		}
-	}
-
-	nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
-						user_info_dc,
-						&upn_dns_info_blob);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
-		return EINVAL;
-	}
-
-	if (is_krbtgt) {
-		nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx,
-							 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-							 &pac_attrs_blob);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(tmp_ctx);
-			return EINVAL;
-		}
-
-		nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
-							     user_info_dc,
-							     &requester_sid_blob);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(tmp_ctx);
-			return EINVAL;
-		}
-	}
-
-	nt_status = samba_kdc_get_claims_blob(tmp_ctx,
-					      skdc_entry,
-					      &client_claims_blob);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
-		return EINVAL;
-	}
-
-	if (replaced_reply_key != NULL && cred_ndr != NULL) {
-		code = samba_kdc_encrypt_pac_credentials(context,
-							 replaced_reply_key,
-							 cred_ndr,
-							 tmp_ctx,
-							 &cred_blob);
-		if (code != 0) {
-			talloc_free(tmp_ctx);
-			return code;
-		}
-		pcred_blob = &cred_blob;
-	}
-
-	code = samba_make_krb5_pac(context,
-				   logon_info_blob,
-				   pcred_blob,
-				   upn_dns_info_blob,
-				   pac_attrs_blob,
-				   requester_sid_blob,
-				   NULL /* deleg_blob */,
-				   client_claims_blob,
-				   NULL /* device_info_blob */,
-				   NULL /* device_claims_blob */,
-				   *pac);
-
 	talloc_free(tmp_ctx);
 	return code;
 }