IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 24 10:28:02 UTC 2025 on atb-devel-224
This makes it possible modify the public ticket part well as the enc part.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This allows us to add more access checks later...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 23:04:04 UTC 2025 on atb-devel-224
For now we only allow the implicit (default) or explicit allow all
policy, as well as a deny all policy.
For all others we return an error in order to indicate the
non-supported configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
For now we only allow the implicit (default) or explicit deny all
policy.
For all others we return an error in order to indicate the
non-supported configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There's no reason not to regenerate it, it makes the code more
consistent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The logic in samba_kdc_get_logon_info_blob() also does
talloc_zero(tmp_ctx, DATA_BLOB) followed by calling
samba_get_logon_info_pac_blob().
So we can always just call samba_kdc_get_logon_info_blob().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should generate the device blobs after generating the client blobs
and also after all access checking.
We also use the samba_kdc_get_claims_blob() helper,
which is currently only a wrapper around
claims_data_encoded_claims_set(), but that will change in future...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Note that samba_kdc_get_claims_data() already handles the
samba_kdc_entry_pac_issued_by_trust() case to clear the
claims received from a trusted domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should also go via samba_kdc_get_claims_data_from_pac()
if the pack was issued by a trust. But for now we still
clear the claims, which is the default if
msDS-IngressClaimsTransformationPolicy is missing
on the trustedDomain object.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should avoid calling claims_data_encoded_claims_set() directly,
we'll have to do more than claims_data_encoded_claims_set() in future,
so make sure we always go via the common samba_kdc_get_claims_blob()
helper.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It means samba_kdc_update_pac() does not call
samba_kdc_get_claims_data_from_db() twice,
as it's already called by samba_kdc_get_claims_data().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There's no need to call it again if the caller already did.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should can already call this in the 'need_device' branch, then
it can be reused later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Also use samba_kdc_entry_pac_valid_principal() in order to catch
all conditions for a valid device. For principals issued by
trusted domains there's no device.entry pointer!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This simplifies and unifies the callers.
For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.
Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.
For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will allow us to make more functions static in the next steps.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes the code base less confusing (at least for me).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting a PAC
We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
samba_kdc_get_pac() will be re-used by mit_samba_get_pac() in
the next step.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 17:03:27 UTC 2025 on atb-devel-224
This will be used for sid/name filtering in the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
