sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID

Browse Source 
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-09-27 16:23:33 +13:00 committed by Joseph Sutton
parent e0a3dd5499
commit cfeb3d75cb
3 changed files with 41 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
source4/kdc/mit_samba.c
View File

@ -487,7 +487,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
skdc_entry,
asserted_identity,
SAMBA_CLAIMS_VALID_INCLUDE,
SAMBA_CLAIMS_VALID_EXCLUDE,
&user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@ -498,6 +498,15 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
return EINVAL;
}
nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
talloc_free(tmp_ctx);
return EINVAL;
}
nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
user_info_dc,
group_inclusion,

23
source4/kdc/pac-glue.c
View File

@ -2027,7 +2027,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
nt_status = samba_kdc_get_user_info_dc(frame,
device,
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
SAMBA_CLAIMS_VALID_INCLUDE,
SAMBA_CLAIMS_VALID_EXCLUDE,
&device_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@ -2036,6 +2036,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
return KRB5KDC_ERR_TGT_REVOKED;
}
nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
device_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
talloc_free(frame);
return KRB5KDC_ERR_TGT_REVOKED;
}
nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc,
AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
&info3,
@ -2927,7 +2936,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
nt_status = samba_kdc_get_user_info_dc(frame,
device,
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
SAMBA_CLAIMS_VALID_INCLUDE,
SAMBA_CLAIMS_VALID_EXCLUDE,
&device_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@ -2936,6 +2945,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
code = KRB5KDC_ERR_TGT_REVOKED;
goto out;
}
nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
device_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
code = KRB5KDC_ERR_TGT_REVOKED;
goto out;
}
}
nt_status = authn_policy_authenticate_from_device(frame,

11
source4/kdc/wdc-samba4.c
View File

@ -126,13 +126,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
nt_status = samba_kdc_get_user_info_dc(mem_ctx,
skdc_entry,
asserted_identity,
SAMBA_CLAIMS_VALID_INCLUDE,
SAMBA_CLAIMS_VALID_EXCLUDE,
&user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return map_errno_from_nt_status(nt_status);
}
nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid: %s\n",
nt_errstr(nt_status));
talloc_free(mem_ctx);
return map_errno_from_nt_status(nt_status);
}
/*
* For an S4U2Self request, the authentication policy is not enforced.
*/