diff --git a/selftest/knownfail_mit_kdc.d/authn-policy b/selftest/knownfail_mit_kdc.d/authn-policy index 8ebc2e04dea..09988a79992 100644 --- a/selftest/knownfail_mit_kdc.d/authn-policy +++ b/selftest/knownfail_mit_kdc.d/authn-policy @@ -40,8 +40,6 @@ ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_to_self_with_self.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_user2user.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req_no_fast.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_from_rodc.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self_with_self.ad_dc @@ -55,7 +53,6 @@ ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow_from_rodc.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_as_req.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_from_rodc.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_derived_class_allow.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow.ad_dc @@ -75,7 +72,6 @@ ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_as_req.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation_to_self.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_from_rodc.ad_dc diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 72dc60bbdb6..d788031b0dd 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -448,61 +448,27 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_pac *pac) { TALLOC_CTX *tmp_ctx; - const struct auth_user_info_dc *user_info_dc = NULL; - struct auth_user_info_dc *user_info_dc_shallow_copy = NULL; - DATA_BLOB *logon_info_blob = NULL; - DATA_BLOB *upn_dns_info_blob = NULL; - DATA_BLOB *cred_ndr = NULL; - DATA_BLOB **cred_ndr_ptr = NULL; - DATA_BLOB cred_blob = data_blob_null; - DATA_BLOB *pcred_blob = NULL; - DATA_BLOB *pac_attrs_blob = NULL; - DATA_BLOB *requester_sid_blob = NULL; - const DATA_BLOB *client_claims_blob = NULL; - NTSTATUS nt_status; krb5_error_code code; - struct samba_kdc_entry *skdc_entry; + struct samba_kdc_entry *client_entry = NULL; struct samba_kdc_entry *server_entry = NULL; - bool is_krbtgt; - /* Only include resource groups in a service ticket. */ - enum auth_group_inclusion group_inclusion; - enum samba_asserted_identity asserted_identity = - (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? - SAMBA_ASSERTED_IDENTITY_SERVICE : - SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY; + uint32_t samba_flags = 0; + uint64_t pac_attributes = PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY; if (client == NULL) { return EINVAL; } - skdc_entry = talloc_get_type_abort(client->e_data, - struct samba_kdc_entry); + client_entry = talloc_get_type_abort(client->e_data, + struct samba_kdc_entry); /* This sets the time into the DSDB opaque */ - *smb_ctx->db_ctx->current_nttime_ull = skdc_entry->current_nttime; + *smb_ctx->db_ctx->current_nttime_ull = client_entry->current_nttime; if (server == NULL) { return EINVAL; } - { - int result = smb_krb5_principal_is_tgs(smb_ctx->context, server->princ); - if (result == -1) { - return ENOMEM; - } - - is_krbtgt = result; - } server_entry = talloc_get_type_abort(server->e_data, struct samba_kdc_entry); - /* Only include resource groups in a service ticket. */ - if (is_krbtgt) { - group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS; - } else if (server_entry->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) { - group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS; - } else { - group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED; - } - tmp_ctx = talloc_named(smb_ctx, 0, "mit_samba_get_pac context"); @@ -510,133 +476,28 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, return ENOMEM; } - /* Check if we have a PREAUTH key */ - if (replaced_reply_key != NULL) { - cred_ndr_ptr = &cred_ndr; + if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { + samba_flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION; } - code = samba_kdc_get_user_info_from_db(tmp_ctx, - server_entry->kdc_db_ctx, - skdc_entry, - skdc_entry->msg, - &user_info_dc); + code = samba_kdc_get_pac(tmp_ctx, + context, + server_entry->kdc_db_ctx, + samba_flags, + client_entry, + server->princ, + server_entry, + (struct samba_kdc_entry_pac) {} /* device */, + replaced_reply_key, + pac_attributes, + *pac, + NULL /* server_audit_info_out */, + NULL /* status_out */); if (code) { talloc_free(tmp_ctx); return code; } - /* Make a shallow copy of the user_info_dc structure. */ - nt_status = authsam_shallow_copy_user_info_dc(tmp_ctx, - user_info_dc, - &user_info_dc_shallow_copy); - user_info_dc = NULL; - - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to allocate shallow copy of user_info_dc: %s\n", - nt_errstr(nt_status)); - talloc_free(tmp_ctx); - return map_errno_from_nt_status(nt_status); - } - - - nt_status = samba_kdc_add_asserted_identity(asserted_identity, - user_info_dc_shallow_copy); - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to add asserted identity: %s\n", - nt_errstr(nt_status)); - talloc_free(tmp_ctx); - return EINVAL; - } - - nt_status = samba_kdc_add_claims_valid(user_info_dc_shallow_copy); - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to add Claims Valid: %s\n", - nt_errstr(nt_status)); - talloc_free(tmp_ctx); - return EINVAL; - } - - /* We no longer need to modify this, so assign to const variable */ - user_info_dc = user_info_dc_shallow_copy; - - nt_status = samba_kdc_get_logon_info_blob(tmp_ctx, - user_info_dc, - group_inclusion, - &logon_info_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - - if (cred_ndr_ptr != NULL) { - nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx, - skdc_entry, - cred_ndr_ptr); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - } - - nt_status = samba_kdc_get_upn_info_blob(tmp_ctx, - user_info_dc, - &upn_dns_info_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - - if (is_krbtgt) { - nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx, - PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, - &pac_attrs_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - - nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx, - user_info_dc, - &requester_sid_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - } - - nt_status = samba_kdc_get_claims_blob(tmp_ctx, - skdc_entry, - &client_claims_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return EINVAL; - } - - if (replaced_reply_key != NULL && cred_ndr != NULL) { - code = samba_kdc_encrypt_pac_credentials(context, - replaced_reply_key, - cred_ndr, - tmp_ctx, - &cred_blob); - if (code != 0) { - talloc_free(tmp_ctx); - return code; - } - pcred_blob = &cred_blob; - } - - code = samba_make_krb5_pac(context, - logon_info_blob, - pcred_blob, - upn_dns_info_blob, - pac_attrs_blob, - requester_sid_blob, - NULL /* deleg_blob */, - client_claims_blob, - NULL /* device_info_blob */, - NULL /* device_claims_blob */, - *pac); - talloc_free(tmp_ctx); return code; }