sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

s4:kdc: Add support for AD client claims

Browse Source 
We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
2023-03-20 16:58:47 +13:00
committed by Andrew Bartlett
parent c9ff654200
commit e446e5816b
13 changed files with 259 additions and 206 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/knownfail.d/tokengroups-claims-valid
View File

@ -1,4 +0,0 @@
^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_pac_groups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_pac_groups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local

94
selftest/knownfail_heimdal_kdc
View File

@ -59,107 +59,13 @@
# #
# Claims tests # Claims tests
# #
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_remove_claims_delete.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_remove_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_delete.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_delete.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
# #
# Group tests # Group tests
# #

90
selftest/knownfail_mit_kdc
View File

@ -463,92 +463,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
# #
# Claims tests # Claims tests
# #
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
@ -560,10 +474,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
# #
# Lockout tests # Lockout tests
# #

42
selftest/knownfail_mit_kdc_1_20
View File

@ -10,7 +10,49 @@
# #
# Claims tests # Claims tests
# #
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
# #
# Group tests # Group tests
# #

5
selftest/knownfail_mit_kdc_pre_1_20
View File

@ -196,3 +196,8 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued\( ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\( ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\( ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\(
#
# Claims tests
#
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc

2
source4/kdc/db-glue.c
View File

@ -1449,6 +1449,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
supported_enctypes |= ENC_FAST_SUPPORTED; supported_enctypes |= ENC_FAST_SUPPORTED;
} }
supported_enctypes |= ENC_CLAIMS_SUPPORTED;
/* /*
* Resource SID compression is enabled implicitly, unless * Resource SID compression is enabled implicitly, unless
* disabled in msDS-SupportedEncryptionTypes. * disabled in msDS-SupportedEncryptionTypes.

15
source4/kdc/mit_samba.c
View File

@ -473,6 +473,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
DATA_BLOB *pcred_blob = NULL; DATA_BLOB *pcred_blob = NULL;
DATA_BLOB *pac_attrs_blob = NULL; DATA_BLOB *pac_attrs_blob = NULL;
DATA_BLOB *requester_sid_blob = NULL; DATA_BLOB *requester_sid_blob = NULL;
DATA_BLOB *client_claims_blob = NULL;
NTSTATUS nt_status; NTSTATUS nt_status;
krb5_error_code code; krb5_error_code code;
struct samba_kdc_entry *skdc_entry; struct samba_kdc_entry *skdc_entry;
@ -484,6 +485,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ? (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
SAMBA_ASSERTED_IDENTITY_SERVICE : SAMBA_ASSERTED_IDENTITY_SERVICE :
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY; SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_INCLUDE;
const enum samba_compounded_auth compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
skdc_entry = talloc_get_type_abort(client->e_data, skdc_entry = talloc_get_type_abort(client->e_data,
struct samba_kdc_entry); struct samba_kdc_entry);
@ -515,6 +518,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
nt_status = samba_kdc_get_user_info_dc(tmp_ctx, nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
skdc_entry, skdc_entry,
asserted_identity, asserted_identity,
claims_valid,
compounded_auth,
&user_info_dc); &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx); talloc_free(tmp_ctx);
@ -570,6 +575,14 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
} }
} }
nt_status = samba_kdc_get_claims_blob(tmp_ctx,
skdc_entry,
&client_claims_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
}
if (replaced_reply_key != NULL && cred_ndr != NULL) { if (replaced_reply_key != NULL && cred_ndr != NULL) {
code = samba_kdc_encrypt_pac_credentials(context, code = samba_kdc_encrypt_pac_credentials(context,
replaced_reply_key, replaced_reply_key,
@ -590,7 +603,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
pac_attrs_blob, pac_attrs_blob,
requester_sid_blob, requester_sid_blob,
NULL, /* deleg_blob */ NULL, /* deleg_blob */
NULL, /* client_claims_blob */ client_claims_blob,
NULL, /* device_info_blob */ NULL, /* device_info_blob */
NULL, /* device_claims_blob */ NULL, /* device_claims_blob */
*pac); *pac);

136
source4/kdc/pac-glue.c
View File

@ -40,6 +40,7 @@
#include "source4/dsdb/samdb/samdb.h" #include "source4/dsdb/samdb/samdb.h"
#include "source4/kdc/samba_kdc.h" #include "source4/kdc/samba_kdc.h"
#include "source4/kdc/pac-glue.h" #include "source4/kdc/pac-glue.h"
#include "source4/kdc/ad_claims.h"
#include <ldb.h> #include <ldb.h>
@ -131,6 +132,7 @@ static krb5_error_code pac_blobs_from_krb5_pac(struct pac_blobs *pac_blobs,
case PAC_TYPE_LOGON_NAME: case PAC_TYPE_LOGON_NAME:
case PAC_TYPE_CONSTRAINED_DELEGATION: case PAC_TYPE_CONSTRAINED_DELEGATION:
case PAC_TYPE_UPN_DNS_INFO: case PAC_TYPE_UPN_DNS_INFO:
case PAC_TYPE_CLIENT_CLAIMS_INFO:
case PAC_TYPE_TICKET_CHECKSUM: case PAC_TYPE_TICKET_CHECKSUM:
case PAC_TYPE_ATTRIBUTES_INFO: case PAC_TYPE_ATTRIBUTES_INFO:
case PAC_TYPE_REQUESTER_SID: case PAC_TYPE_REQUESTER_SID:
@ -488,6 +490,30 @@ NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK; return NT_STATUS_OK;
} }
static
NTSTATUS samba_get_claims_blob(TALLOC_CTX *mem_ctx,
struct ldb_context *samdb,
struct ldb_dn *principal_dn,
DATA_BLOB *client_claims_data)
{
union PAC_INFO client_claims;
int ret;
ZERO_STRUCT(client_claims);
*client_claims_data = data_blob_null;
ret = get_claims_for_principal(samdb,
mem_ctx,
principal_dn,
client_claims_data);
if (ret != LDB_SUCCESS) {
return dsdb_ldb_err_to_ntstatus(ret);
}
return NT_STATUS_OK;
}
static static
NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx, NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg, const struct ldb_message *msg,
@ -1116,6 +1142,60 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
num_sids); num_sids);
} }
static NTSTATUS samba_add_claims_valid(TALLOC_CTX *mem_ctx,
enum samba_claims_valid claims_valid,
struct auth_user_info_dc *user_info_dc)
{
switch (claims_valid) {
case SAMBA_CLAIMS_VALID_EXCLUDE:
return NT_STATUS_OK;
case SAMBA_CLAIMS_VALID_INCLUDE:
{
struct dom_sid claims_valid_sid;
if (!dom_sid_parse(SID_CLAIMS_VALID, &claims_valid_sid)) {
return NT_STATUS_UNSUCCESSFUL;
}
return add_sid_to_array_attrs_unique(
mem_ctx,
&claims_valid_sid,
SE_GROUP_DEFAULT_FLAGS,
&user_info_dc->sids,
&user_info_dc->num_sids);
}
}
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS samba_add_compounded_auth(TALLOC_CTX *mem_ctx,
enum samba_compounded_auth compounded_auth,
struct auth_user_info_dc *user_info_dc)
{
switch (compounded_auth) {
case SAMBA_COMPOUNDED_AUTH_EXCLUDE:
return NT_STATUS_OK;
case SAMBA_COMPOUNDED_AUTH_INCLUDE:
{
struct dom_sid compounded_auth_sid;
if (!dom_sid_parse(SID_COMPOUNDED_AUTHENTICATION, &compounded_auth_sid)) {
return NT_STATUS_UNSUCCESSFUL;
}
return add_sid_to_array_attrs_unique(
mem_ctx,
&compounded_auth_sid,
SE_GROUP_DEFAULT_FLAGS,
&user_info_dc->sids,
&user_info_dc->num_sids);
}
}
return NT_STATUS_INVALID_PARAMETER;
}
/* /*
* Look up the user's info in the database and create a auth_user_info_dc * Look up the user's info in the database and create a auth_user_info_dc
* structure. If the resulting structure is not talloc_free()d, it will be * structure. If the resulting structure is not talloc_free()d, it will be
@ -1304,22 +1384,27 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
DATA_BLOB **_claims_blob) DATA_BLOB **_claims_blob)
{ {
DATA_BLOB *claims_blob = NULL; DATA_BLOB *claims_blob = NULL;
NTSTATUS nt_status;
SMB_ASSERT(_claims_blob != NULL); SMB_ASSERT(_claims_blob != NULL);
*_claims_blob = NULL; *_claims_blob = NULL;
/*
* Until we support claims we just
* return an empty blob,
* that matches what Windows is doing
* without defined claims
*/
claims_blob = talloc_zero(mem_ctx, DATA_BLOB); claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
if (claims_blob == NULL) { if (claims_blob == NULL) {
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
nt_status = samba_get_claims_blob(mem_ctx,
p->kdc_db_ctx->samdb,
p->msg->dn,
claims_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Building claims failed: %s\n",
nt_errstr(nt_status));
return nt_status;
}
*_claims_blob = claims_blob; *_claims_blob = claims_blob;
return NT_STATUS_OK; return NT_STATUS_OK;
@ -1328,6 +1413,8 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *skdc_entry, struct samba_kdc_entry *skdc_entry,
enum samba_asserted_identity asserted_identity, enum samba_asserted_identity asserted_identity,
enum samba_claims_valid claims_valid,
enum samba_compounded_auth compounded_auth,
struct auth_user_info_dc *user_info_dc_out) struct auth_user_info_dc *user_info_dc_out)
{ {
NTSTATUS nt_status; NTSTATUS nt_status;
@ -1370,6 +1457,22 @@ NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
return nt_status; return nt_status;
} }
nt_status = samba_add_claims_valid(mem_ctx,
claims_valid,
user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Claims Valid!\n");
return nt_status;
}
nt_status = samba_add_compounded_auth(mem_ctx,
compounded_auth,
user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Compounded Authentication!\n");
return nt_status;
}
return NT_STATUS_OK; return NT_STATUS_OK;
} }
@ -1377,6 +1480,7 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
krb5_context context, krb5_context context,
struct ldb_context *samdb, struct ldb_context *samdb,
const enum auth_group_inclusion group_inclusion, const enum auth_group_inclusion group_inclusion,
const enum samba_compounded_auth compounded_auth,
const krb5_const_pac pac, DATA_BLOB *pac_blob, const krb5_const_pac pac, DATA_BLOB *pac_blob,
struct PAC_SIGNATURE_DATA *pac_srv_sig, struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig) struct PAC_SIGNATURE_DATA *pac_kdc_sig)
@ -1421,6 +1525,14 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
return nt_status; return nt_status;
} }
nt_status = samba_add_compounded_auth(mem_ctx,
compounded_auth,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("Failed to add Compounded Authentication!\n");
return nt_status;
}
nt_status = samba_get_logon_info_pac_blob(mem_ctx, nt_status = samba_get_logon_info_pac_blob(mem_ctx,
user_info_dc, user_info_dc,
_resource_groups, _resource_groups,
@ -2094,6 +2206,11 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
*/ */
enum samba_asserted_identity asserted_identity = enum samba_asserted_identity asserted_identity =
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY; SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_EXCLUDE;
const enum samba_compounded_auth compounded_auth =
(device != NULL && !is_tgs) ?
SAMBA_COMPOUNDED_AUTH_INCLUDE :
SAMBA_COMPOUNDED_AUTH_EXCLUDE;
if (client == NULL) { if (client == NULL) {
code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@ -2103,6 +2220,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
nt_status = samba_kdc_get_user_info_dc(mem_ctx, nt_status = samba_kdc_get_user_info_dc(mem_ctx,
client, client,
asserted_identity, asserted_identity,
claims_valid,
compounded_auth,
&user_info_dc); &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@ -2153,6 +2272,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
goto done; goto done;
} }
} else { } else {
const enum samba_compounded_auth compounded_auth =
(device != NULL && !is_tgs) ?
SAMBA_COMPOUNDED_AUTH_INCLUDE :
SAMBA_COMPOUNDED_AUTH_EXCLUDE;
pac_blob = talloc_zero(mem_ctx, DATA_BLOB); pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
if (pac_blob == NULL) { if (pac_blob == NULL) {
code = ENOMEM; code = ENOMEM;
@ -2163,6 +2286,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
context, context,
samdb, samdb,
group_inclusion, group_inclusion,
compounded_auth,
old_pac, old_pac,
pac_blob, pac_blob,
NULL, NULL,

13
source4/kdc/pac-glue.h
View File

@ -29,6 +29,16 @@ enum samba_asserted_identity {
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
}; };
enum samba_claims_valid {
SAMBA_CLAIMS_VALID_EXCLUDE = 0,
SAMBA_CLAIMS_VALID_INCLUDE,
};
enum samba_compounded_auth {
SAMBA_COMPOUNDED_AUTH_EXCLUDE = 0,
SAMBA_COMPOUNDED_AUTH_INCLUDE,
};
enum { enum {
SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001, SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001,
SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002, SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
@ -75,6 +85,7 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
krb5_context context, krb5_context context,
struct ldb_context *samdb, struct ldb_context *samdb,
enum auth_group_inclusion group_inclusion, enum auth_group_inclusion group_inclusion,
enum samba_compounded_auth compounded_auth,
const krb5_const_pac pac, DATA_BLOB *pac_blob, const krb5_const_pac pac, DATA_BLOB *pac_blob,
struct PAC_SIGNATURE_DATA *pac_srv_sig, struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig); struct PAC_SIGNATURE_DATA *pac_kdc_sig);
@ -82,6 +93,8 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *skdc_entry, struct samba_kdc_entry *skdc_entry,
enum samba_asserted_identity asserted_identity, enum samba_asserted_identity asserted_identity,
enum samba_claims_valid claims_valid,
enum samba_compounded_auth compounded_auth,
struct auth_user_info_dc *_user_info_dc); struct auth_user_info_dc *_user_info_dc);
NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx, NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,

6
source4/kdc/wdc-samba4.c
View File

@ -122,6 +122,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
(is_s4u2self) ? (is_s4u2self) ?
SAMBA_ASSERTED_IDENTITY_SERVICE : SAMBA_ASSERTED_IDENTITY_SERVICE :
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY; SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_INCLUDE;
const enum samba_compounded_auth compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
struct auth_user_info_dc user_info_dc = {}; struct auth_user_info_dc user_info_dc = {};
@ -146,6 +148,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
nt_status = samba_kdc_get_user_info_dc(mem_ctx, nt_status = samba_kdc_get_user_info_dc(mem_ctx,
skdc_entry, skdc_entry,
asserted_identity, asserted_identity,
claims_valid,
compounded_auth,
&user_info_dc); &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx); talloc_free(mem_ctx);
@ -227,7 +231,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
ret = samba_make_krb5_pac(context, logon_blob, cred_blob, ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
upn_blob, pac_attrs_blob, upn_blob, pac_attrs_blob,
requester_sid_blob, NULL, requester_sid_blob, NULL,
NULL, NULL, NULL, client_claims_blob, NULL, NULL,
*pac); *pac);
talloc_free(mem_ctx); talloc_free(mem_ctx);

2
source4/kdc/wscript_build
View File

@ -123,7 +123,7 @@ bld.SAMBA_SUBSYSTEM('sdb_kdb',
bld.SAMBA_SUBSYSTEM('PAC_GLUE', bld.SAMBA_SUBSYSTEM('PAC_GLUE',
source='pac-glue.c', source='pac-glue.c',
deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err' deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err ad_claims'
) )
bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('pac',

2
source4/selftest/tests.py
View File

@ -1004,7 +1004,7 @@ for env in ['fileserver_smb1', 'nt4_member', 'clusteredmember', 'ktest', 'nt4_dc
planoldpythontestsuite(env, "samba.tests.imports") planoldpythontestsuite(env, "samba.tests.imports")
have_fast_support = 1 have_fast_support = 1
claims_support = 0 claims_support = 1
compound_id_support = 0 compound_id_support = 0
if ('SAMBA4_USES_HEIMDAL' in config_hash or if ('SAMBA4_USES_HEIMDAL' in config_hash or
'HAVE_MIT_KRB5_1_20' in config_hash): 'HAVE_MIT_KRB5_1_20' in config_hash):

54
source4/torture/rpc/remote_pac.c
View File

@ -313,7 +313,7 @@ static bool test_PACVerify(struct torture_context *tctx,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
num_pac_buffers = 6; num_pac_buffers = 7;
if (expect_pac_upn_dns_info) { if (expect_pac_upn_dns_info) {
num_pac_buffers += 1; num_pac_buffers += 1;
} }
@ -749,10 +749,14 @@ static bool test_S4U2Self(struct torture_context *tctx,
struct dom_sid *ai_auth_authority = NULL; struct dom_sid *ai_auth_authority = NULL;
struct dom_sid *ai_service = NULL; struct dom_sid *ai_service = NULL;
struct dom_sid *ai_claims_valid = NULL;
size_t ai_auth_authority_count = 0; size_t ai_auth_authority_count = 0;
size_t ai_service_count = 0; size_t ai_service_count = 0;
size_t ai_claims_valid_count = 0;
size_t kinit_asserted_identity_index = 0; size_t kinit_asserted_identity_index = 0;
size_t kinit_claims_valid_index = 0;
size_t s4u2self_asserted_identity_index = 0; size_t s4u2self_asserted_identity_index = 0;
size_t s4u2self_claims_valid_index = 0;
bool ok; bool ok;
TALLOC_CTX *tmp_ctx = talloc_new(tctx); TALLOC_CTX *tmp_ctx = talloc_new(tctx);
@ -1000,8 +1004,15 @@ static bool test_S4U2Self(struct torture_context *tctx,
SID_SERVICE_ASSERTED_IDENTITY); SID_SERVICE_ASSERTED_IDENTITY);
torture_assert_not_null(tctx, ai_service, "failed to parse SID"); torture_assert_not_null(tctx, ai_service, "failed to parse SID");
/* ...and the Claims Valid SID. */
ai_claims_valid = dom_sid_parse_talloc(
tmp_ctx,
SID_CLAIMS_VALID);
torture_assert_not_null(tctx, ai_claims_valid, "failed to parse SID");
ai_auth_authority_count = 0; ai_auth_authority_count = 0;
ai_service_count = 0; ai_service_count = 0;
ai_claims_valid_count = 0;
for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) { for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid, ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
ai_auth_authority); ai_auth_authority);
@ -1016,15 +1027,25 @@ static bool test_S4U2Self(struct torture_context *tctx,
ai_service_count++; ai_service_count++;
kinit_asserted_identity_index = i; kinit_asserted_identity_index = i;
} }
ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
ai_claims_valid);
if (ok) {
ai_claims_valid_count++;
kinit_claims_valid_index = i;
}
} }
torture_assert_int_equal(tctx, ai_auth_authority_count, 1, torture_assert_int_equal(tctx, ai_auth_authority_count, 1,
"Kinit authority asserted identity should be (1)"); "Kinit authority asserted identity should be (1)");
torture_assert_int_equal(tctx, ai_service_count, 0, torture_assert_int_equal(tctx, ai_service_count, 0,
"Kinit service asserted identity should be (0)"); "Kinit service asserted identity should be (0)");
torture_assert_int_equal(tctx, ai_claims_valid_count, 1,
"Kinit Claims Valid should be (1)");
ai_auth_authority_count = 0; ai_auth_authority_count = 0;
ai_service_count = 0; ai_service_count = 0;
ai_claims_valid_count = 0;
for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) { for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) {
ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid, ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
ai_auth_authority); ai_auth_authority);
@ -1039,24 +1060,37 @@ static bool test_S4U2Self(struct torture_context *tctx,
ai_service_count++; ai_service_count++;
s4u2self_asserted_identity_index = i; s4u2self_asserted_identity_index = i;
} }
ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
ai_claims_valid);
if (ok) {
ai_claims_valid_count++;
s4u2self_claims_valid_index = i;
}
} }
torture_assert_int_equal(tctx, ai_auth_authority_count, 0, torture_assert_int_equal(tctx, ai_auth_authority_count, 0,
"S4U2Self authority asserted identity should be (0)"); "S4U2Self authority asserted identity should be (0)");
torture_assert_int_equal(tctx, ai_service_count, 1, torture_assert_int_equal(tctx, ai_service_count, 1,
"S4U2Self service asserted identity should be (1)"); "S4U2Self service asserted identity should be (1)");
torture_assert_int_equal(tctx, ai_claims_valid_count, 1,
"S4U2Self Claims Valid should be (1)");
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for kinit-based PAC"); /*
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for S4U2Self"); * Subtract 2 to account for the Asserted Identity and Claims Valid
* SIDs.
*/
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 2, "Different numbers of domain groups for kinit-based PAC");
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 2, "Different numbers of domain groups for S4U2Self");
/* Loop over all three SID arrays. */ /* Loop over all three SID arrays. */
for (i = 0, j = 0, k = 0; i < netlogon_user_info_dc->num_sids; i++, j++, k++) { for (i = 0, j = 0, k = 0; i < netlogon_user_info_dc->num_sids; i++, j++, k++) {
if (j == kinit_asserted_identity_index) { while (j == kinit_asserted_identity_index || j == kinit_claims_valid_index) {
/* Skip over the asserted identity SID. */ /* Skip over the asserted identity and Claims Valid SIDs. */
++j; ++j;
} }
if (k == s4u2self_asserted_identity_index) { while (k == s4u2self_asserted_identity_index || k == s4u2self_claims_valid_index) {
/* Skip over the asserted identity SID. */ /* Skip over the asserted identity and Claims Valid SIDs. */
++k; ++k;
} }
torture_assert_sid_equal(tctx, &netlogon_user_info_dc->sids[i].sid, &kinit_session_info->torture->dc_sids[j].sid, "Different domain groups for kinit-based PAC"); torture_assert_sid_equal(tctx, &netlogon_user_info_dc->sids[i].sid, &kinit_session_info->torture->dc_sids[j].sid, "Different domain groups for kinit-based PAC");
@ -1212,7 +1246,7 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
num_pac_buffers = 8; num_pac_buffers = 9;
torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version"); torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers"); torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
@ -1245,6 +1279,10 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_FULL_CHECKSUM"); torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_FULL_CHECKSUM");
torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_FULL_CHECKSUM info"); torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_FULL_CHECKSUM info");
pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CLIENT_CLAIMS_INFO);
torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CLIENT_CLAIMS_INFO");
torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CLIENT_CLAIMS_INFO info");
pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CONSTRAINED_DELEGATION); pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CONSTRAINED_DELEGATION);
torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CONSTRAINED_DELEGATION"); torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CONSTRAINED_DELEGATION");
torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CONSTRAINED_DELEGATION info"); torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CONSTRAINED_DELEGATION info");