2025-02-25 17:57:42 +03:00 · 2023-06-16 14:49:11 +12:00 · 2023-06-16 14:49:11 +12:00 · cf139d1421
commit cf139d1421
parent d0d52262f7
5 changed files with 43 additions and 6 deletions
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@ -717,7 +717,9 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 				    NULL /* device */,
 				    NULL /* device_pac */,
 				    *pac,
-				    new_pac);
+				    new_pac,
+				    NULL /* server_audit_info_out */,
+				    NULL /* status_out */);
 	if (code != 0) {
 		krb5_pac_free(context, new_pac);
 		if (code == ENOATTR) {
@ -831,7 +833,9 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 				    NULL /* device */,
 				    NULL /* device_pac */,
 				    old_pac,
-				    new_pac);
+				    new_pac,
+				    NULL /* server_audit_info_out */,
+				    NULL /* status_out */);
 	if (code != 0) {
 		if (code == ENOATTR) {
 			/*
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@ -2337,7 +2337,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     struct samba_kdc_entry *device,
 				     const krb5_const_pac device_pac,
 				     const krb5_const_pac old_pac,
-				     krb5_pac new_pac)
+				     krb5_pac new_pac,
+				     struct authn_audit_info **server_audit_info_out,
+				     NTSTATUS *status_out)
 {
 	krb5_error_code code = EINVAL;
 	NTSTATUS nt_status;
@ -2360,6 +2362,14 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 	struct pac_blobs pac_blobs;
 	pac_blobs_init(&pac_blobs);

+	if (server_audit_info_out != NULL) {
+		*server_audit_info_out = NULL;
+	}
+
+	if (status_out != NULL) {
+		*status_out = NT_STATUS_OK;
+	}
+
 	is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
 	if (is_tgs == -1) {
 		code = ENOMEM;
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@ -140,7 +140,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     struct samba_kdc_entry *device,
 				     krb5_const_pac device_pac,
 				     krb5_const_pac old_pac,
-				     krb5_pac new_pac);
+				     krb5_pac new_pac,
+				     struct authn_audit_info **server_audit_info_out,
+				     NTSTATUS *status_out);

 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
 				       const struct auth_user_info_dc *user_info_dc,
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@ -22,6 +22,7 @@
 */

 #include "includes.h"
+#include "kdc/authn_policy_util.h"
 #include "kdc/kdc-glue.h"
 #include "kdc/db-glue.h"
 #include "kdc/pac-glue.h"
@ -391,7 +392,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 		talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry);
 	TALLOC_CTX *mem_ctx = NULL;
 	krb5_pac new_pac = NULL;
+	struct authn_audit_info *server_audit_info = NULL;
 	krb5_error_code ret;
+	NTSTATUS status = NT_STATUS_OK;
 	uint32_t flags = 0;

 	mem_ctx = talloc_named(NULL, 0, "samba_wdc_reget_pac context");
@ -433,7 +436,25 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 				   device_skdc_entry,
 				   device_pac,
 				   *pac,
-				   new_pac);
+				   new_pac,
+				   &server_audit_info,
+				   &status);
+	if (server_audit_info != NULL) {
+		krb5_error_code ret2;
+
+		ret2 = hdb_samba4_set_steal_server_audit_info(r, server_audit_info);
+		if (ret2) {
+			ret = ret2;
+		}
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		krb5_error_code ret2;
+
+		ret2 = hdb_samba4_set_ntstatus(r, status, ret);
+		if (ret2) {
+			ret = ret2;
+		}
+	}
 	if (ret != 0) {
 		krb5_pac_free(context, new_pac);
 		if (ret == ENOATTR) {
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@ -98,7 +98,7 @@ bld.SAMBA_SUBSYSTEM('KDC-GLUE',
 bld.SAMBA_SUBSYSTEM('WDC_SAMBA4',
 	source='wdc-samba4.c',
        includes=kdc_include,
-	deps='ldb auth4_sam common_auth samba-credentials hdb PAC_GLUE samba-hostconfig com_err KDC-GLUE',
+	deps='ldb auth4_sam common_auth samba-credentials hdb PAC_GLUE samba-hostconfig com_err KDC-GLUE authn_policy_util',
 	enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')
 	)