1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

7 Commits

Author SHA1 Message Date
Joseph Sutton
1e3c347985 s4:kdc: Remove unused function get_claims_blob_for_principal()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
c01c206d76 s4:kdc: Add get_claims_set_for_principal()
Add a new function, get_claims_set_for_principal(), that returns the
claims as a CLAIMS_SET structure rather than as a blob. To accommodate
this, move the call to encode_claims_set() out of get_all_claims() and
into get_claims_blob_for_principal().

Being able to get the unencoded claims will save us from having to
decode claims that we just needlessly encoded.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224
2023-08-14 05:51:45 +00:00
Joseph Sutton
21e0c25895 s4:kdc: Rename ‘claims_blob’ parameter to ‘claims_blob_out’
Just to make perfectly clear that it is an out parameter.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:35 +00:00
Joseph Sutton
504a36f320 s4:kdc: Rename get_claims_for_principal() to get_claims_blob_for_principal()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:35 +00:00
Joseph Sutton
a9d543cdfc s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs
Samba security features like AD claims, Authentication Policies and
Authentication Silos are enabled once the DC is at the required functional level.

We comment at the callers of of dsdb_dc_functional_level() to explain
why we do this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-21 19:08:37 +00:00
Joseph Sutton
10d6d77a27 s4:kdc: Have get_claims_for_principal() take the entire principal
The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
3afac3f8f7 s4:kdc: Add utility functions for AD claims
get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.

It's not hooked into the KDC yet, so this entails no change in
behaviour.

Constructed claims and certificate claims are not supported yet.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00