The branch, master has been updated via 7e3cbc2c641 s4:kdc: Fix typo via 9d59e42a2ba s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions via c7b00ccc76f s4:kdc: Rename claims_blob to client_claims_blob via fbed57b86bc s4:kdc: Fix leak via 9c4f7e4b339 s4:kdc: Don't modify cached user_info_dc SIDs via c62937822d8 s4:kdc: Don't check PAC-OPTIONS claims-supported bit via 3e97ea3f35e s4:kdc: Have samba_kdc_update_pac() take device parameters via a326aec4c04 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() via 1a625702e81 libcli/security: Correctly handle ACL deletion via 545b40a70b0 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty via 211d19a04c3 ldb: Don't create error string if there is no error from 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7e3cbc2c6418a876ab4770f1fd5ff12e8c8dae9d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Mar 21 09:43:01 2023 +1300 s4:kdc: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224 commit 9d59e42a2bacf53eda99f0a3d96f9ce4088b1ddc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 20 15:16:21 2023 +1300 s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions Instead of having one large function that returns every PAC blob, we now have a more manageable assortment of smaller functions that each return one blob. That gives us more fine-grained handling of PAC blobs, with callers now able to procure only the specific blobs that they need. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c7b00ccc76f4a055dd761c929c23b014b214c4f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 20 15:13:39 2023 +1300 s4:kdc: Rename claims_blob to client_claims_blob This will not be the only claims blob. Later there will also be a device_claims_blob. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fbed57b86bc5b358a7373c134ce26a012b4280ef Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 20 15:11:54 2023 +1300 s4:kdc: Fix leak Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9c4f7e4b339d6ed5ed1030f87c9a871b06987265 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 20 15:02:53 2023 +1300 s4:kdc: Don't modify cached user_info_dc SIDs samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure obtained from samba_kdc_get_user_info_from_db() into samba_add_asserted_identity(). The latter function modifies the SIDs of the user_info_dc structure in order to add the Asserted Identity SID, but samba_kdc_get_user_info_from_db() actually caches that structure internally, meaning that subsequent calls will return the modified structure. We should not modify cached SIDs, so have samba_kdc_get_user_info_from_db() return a pointer to constant data, and copy the returned array of SIDs before adding the Asserted Identity SID. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c62937822d8d814a70d32efab93be721791c57f0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 17 11:57:09 2023 +1300 s4:kdc: Don't check PAC-OPTIONS claims-supported bit Windows only consults the PAC-OPTIONS claims bit to find out whether or not to add claims to the PAC if the ClaimsCompIdFASTSupport option is set to 1. If this option is set to 2 or 3, the bit is ignored and claims are always added. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3e97ea3f35e3d147b491bb2da959b0f8a6207835 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 17 11:14:15 2023 +1300 s4:kdc: Have samba_kdc_update_pac() take device parameters These will be used later when we add support for compound authentication. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a326aec4c0495200d05ab8b2310f23199058167a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 17 11:07:11 2023 +1300 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1a625702e81ef2a6bd38c486e3056ce61da800e8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Mar 13 10:09:15 2023 +1300 libcli/security: Correctly handle ACL deletion If there were two consecutive occurrences of an ACL to be deleted, we would miss the second one. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 545b40a70b02141ed292ddd3ff63d1f62070bb85 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Mar 8 09:24:49 2023 +1300 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty We weren't doing anything with the passed-in 'el' afterwards, so this was just confusing. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 211d19a04c303ad264e3d155ce9bee242789cf62 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Mar 8 09:23:00 2023 +1300 ldb: Don't create error string if there is no error We should only do this in the LDB_ERR_NO_SUCH_ATTRIBUTE case. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/ldb_key_value/ldb_kv.c | 15 +- libcli/security/security_descriptor.c | 1 + source4/auth/session.c | 2 +- source4/auth/session.h | 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 2 +- source4/kdc/db-glue.c | 4 +- source4/kdc/mit_samba.c | 70 +++- source4/kdc/pac-glue.c | 440 ++++++++++++++++-------- source4/kdc/pac-glue.h | 45 ++- source4/kdc/wdc-samba4.c | 133 ++++--- 10 files changed, 457 insertions(+), 257 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c index aea6f0c1be0..4c153b21c31 100644 --- a/lib/ldb/ldb_key_value/ldb_kv.c +++ b/lib/ldb/ldb_key_value/ldb_kv.c @@ -1289,13 +1289,14 @@ int ldb_kv_modify_internal(struct ldb_module *module, ldb_kv, msg2, msg->elements[i].name); - if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE && - control_permissive) { - ret = LDB_SUCCESS; - } else { - ldb_asprintf_errstring(ldb, - "attribute '%s': no such attribute for delete on '%s'", - msg->elements[i].name, dn); + if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) { + if (control_permissive) { + ret = LDB_SUCCESS; + } else { + ldb_asprintf_errstring(ldb, + "attribute '%s': no such attribute for delete on '%s'", + msg->elements[i].name, dn); + } } if (ret != LDB_SUCCESS) { goto done; diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c index d6a7eda611b..ebc5c8f1f45 100644 --- a/libcli/security/security_descriptor.c +++ b/libcli/security/security_descriptor.c @@ -414,6 +414,7 @@ static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd, acl->aces = NULL; } found = true; + --i; } } diff --git a/source4/auth/session.c b/source4/auth/session.c index 4b9a0058dd5..2e28bc15c6d 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -52,7 +52,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - struct auth_user_info_dc *user_info_dc, + const struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **_session_info) { diff --git a/source4/auth/session.h b/source4/auth/session.h index 97a8aba0f14..2d42396a556 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -39,7 +39,7 @@ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - struct auth_user_info_dc *interim_info, + const struct auth_user_info_dc *interim_info, uint32_t session_info_flags, struct auth_session_info **session_info); NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 175a02d3ba7..cb32d190dce 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -4712,7 +4712,7 @@ static int replmd_delete_internals(struct ldb_module *module, struct ldb_request */ dsdb_flags |= DSDB_REPLMD_VANISH_LINKS; } - ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, &el); + ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, NULL); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); ldb_module_oom(module); diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 7a048a6a418..55286f04c85 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1394,7 +1394,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) { int result; - struct auth_user_info_dc *user_info_dc = NULL; + const struct auth_user_info_dc *user_info_dc = NULL; /* * These protections only apply to clients, so servers in the * Protected Users group may still have service tickets to them @@ -1407,7 +1407,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * and computers should never be members of Protected Users, or * they may fail to authenticate. */ - status = samba_kdc_get_user_info_from_db(p, msg, &user_info_dc); + status = samba_kdc_get_user_info_from_db(mem_ctx, p, msg, &user_info_dc); if (!NT_STATUS_IS_OK(status)) { ret = EINVAL; goto out; diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index c3c07926cca..48e4b74efaf 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -464,6 +464,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_pac *pac) { TALLOC_CTX *tmp_ctx; + struct auth_user_info_dc user_info_dc = {}; DATA_BLOB *logon_info_blob = NULL; DATA_BLOB *upn_dns_info_blob = NULL; DATA_BLOB *cred_ndr = NULL; @@ -511,17 +512,10 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, cred_ndr_ptr = &cred_ndr; } - nt_status = samba_kdc_get_pac_blobs(tmp_ctx, - skdc_entry, - asserted_identity, - group_inclusion, - &logon_info_blob, - cred_ndr_ptr, - &upn_dns_info_blob, - is_krbtgt ? &pac_attrs_blob : NULL, - PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, - is_krbtgt ? &requester_sid_blob : NULL, - NULL); + nt_status = samba_kdc_get_user_info_dc(tmp_ctx, + skdc_entry, + asserted_identity, + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); if (NT_STATUS_EQUAL(nt_status, @@ -531,6 +525,51 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, return EINVAL; } + nt_status = samba_kdc_get_logon_info_blob(tmp_ctx, + &user_info_dc, + group_inclusion, + &logon_info_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + + if (cred_ndr_ptr != NULL) { + nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx, + skdc_entry, + cred_ndr_ptr); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + } + + nt_status = samba_kdc_get_upn_info_blob(tmp_ctx, + &user_info_dc, + &upn_dns_info_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + + if (is_krbtgt) { + nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx, + PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, + &pac_attrs_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + + nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx, + &user_info_dc, + &requester_sid_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + } + if (replaced_reply_key != NULL && cred_ndr != NULL) { code = samba_kdc_encrypt_pac_credentials(context, replaced_reply_key, @@ -651,6 +690,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, server_skdc_entry, krbtgt_skdc_entry, delegated_proxy_principal, + NULL, /* device */ + NULL, /* device_pac */ *pac, new_pac); if (code != 0) { @@ -752,6 +793,8 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, server_skdc_entry, krbtgt_skdc_entry, NULL, /* delegated_proxy_principal */ + NULL, /* device */ + NULL, /* device_pac */ old_pac, new_pac); if (code != 0) { @@ -970,7 +1013,7 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, enum samPwdChangeReason reject_reason; struct samr_DomInfo1 *dominfo; const char *error_string = NULL; - struct auth_user_info_dc *user_info_dc; + const struct auth_user_info_dc *user_info_dc = NULL; struct samba_kdc_entry *p = talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry); krb5_error_code code = 0; @@ -984,7 +1027,8 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, return ENOMEM; } - status = samba_kdc_get_user_info_from_db(p, + status = samba_kdc_get_user_info_from_db(tmp_ctx, + p, p->msg, &user_info_dc); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 97dac1bc79e..1fcc79a2e62 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -299,8 +299,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *info, const struct PAC_DOMAIN_GROUP_MEMBERSHIP *override_resource_groups, const enum auth_group_inclusion group_inclusion, - DATA_BLOB *pac_data, - DATA_BLOB *requester_sid_blob) + DATA_BLOB *pac_data) { struct netr_SamInfo3 *info3 = NULL; struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL; @@ -312,9 +311,6 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, ZERO_STRUCT(pac_info); *pac_data = data_blob_null; - if (requester_sid_blob != NULL) { - *requester_sid_blob = data_blob_null; - } if (override_resource_groups == NULL) { resource_groups = &_resource_groups; @@ -375,6 +371,21 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, return nt_status; } + return NT_STATUS_OK; +} + +static +NTSTATUS samba_get_requester_sid_pac_blob(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *info, + DATA_BLOB *requester_sid_blob) +{ + enum ndr_err_code ndr_err; + NTSTATUS nt_status; + + if (requester_sid_blob != NULL) { + *requester_sid_blob = data_blob_null; + } + if (requester_sid_blob != NULL && info->num_sids > 0) { union PAC_INFO pac_requester_sid; @@ -819,10 +830,8 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, { krb5_data logon_data; krb5_error_code ret; -#ifdef SAMBA4_USES_HEIMDAL char null_byte = '\0'; krb5_data null_data = smb_krb5_make_data(&null_byte, 0); -#endif /* The user account may be set not to want the PAC */ if (logon_blob == NULL) { @@ -846,10 +855,19 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, } if (client_claims_blob != NULL) { - krb5_data client_claims_data = smb_krb5_data_from_blob(*client_claims_blob); + krb5_data client_claims_data; + krb5_data *data = NULL; + + if (client_claims_blob->length != 0) { + client_claims_data = smb_krb5_data_from_blob(*client_claims_blob); + data = &client_claims_data; + } else { + data = &null_data; + } + ret = krb5_pac_add_buffer(context, pac, PAC_TYPE_CLIENT_CLAIMS_INFO, - &client_claims_data); + data); if (ret != 0) { return ret; } @@ -1071,7 +1089,8 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *p, */ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx, enum samba_asserted_identity ai, - struct auth_user_info_dc *user_info_dc) + struct auth_SidAttr **sids, + uint32_t *num_sids) { struct dom_sid ai_sid; const char *sid_str = NULL; @@ -1090,11 +1109,11 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx, dom_sid_parse(sid_str, &ai_sid); return add_sid_to_array_attrs_unique( - user_info_dc, + mem_ctx, &ai_sid, SE_GROUP_DEFAULT_FLAGS, - &user_info_dc->sids, - &user_info_dc->num_sids); + sids, + num_sids); } /* @@ -1102,9 +1121,10 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx, * structure. If the resulting structure is not talloc_free()d, it will be * reused on future calls to this function. */ -NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry, +NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, + struct samba_kdc_entry *skdc_entry, const struct ldb_message *msg, - struct auth_user_info_dc **user_info_dc) + const struct auth_user_info_dc **user_info_dc) { if (skdc_entry->user_info_dc == NULL) { NTSTATUS nt_status; @@ -1129,161 +1149,227 @@ NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry, return NT_STATUS_OK; } -NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, - struct samba_kdc_entry *p, - enum samba_asserted_identity asserted_identity, - const enum auth_group_inclusion group_inclusion, - DATA_BLOB **_logon_info_blob, - DATA_BLOB **_cred_ndr_blob, - DATA_BLOB **_upn_info_blob, - DATA_BLOB **_pac_attrs_blob, - uint64_t pac_attributes, - DATA_BLOB **_requester_sid_blob, - DATA_BLOB **_client_claims_blob) +NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const enum auth_group_inclusion group_inclusion, + DATA_BLOB **_logon_info_blob) { - struct auth_user_info_dc *user_info_dc = NULL; DATA_BLOB *logon_blob = NULL; - DATA_BLOB *cred_blob = NULL; - DATA_BLOB *upn_blob = NULL; - DATA_BLOB *pac_attrs_blob = NULL; - DATA_BLOB *requester_sid_blob = NULL; - DATA_BLOB *client_claims_blob = NULL; NTSTATUS nt_status; *_logon_info_blob = NULL; - if (_cred_ndr_blob != NULL) { - *_cred_ndr_blob = NULL; - } - *_upn_info_blob = NULL; - if (_pac_attrs_blob != NULL) { - *_pac_attrs_blob = NULL; - } - if (_requester_sid_blob != NULL) { - *_requester_sid_blob = NULL; - } - if (_client_claims_blob != NULL) { - *_client_claims_blob = NULL; - } logon_blob = talloc_zero(mem_ctx, DATA_BLOB); if (logon_blob == NULL) { return NT_STATUS_NO_MEMORY; } - if (_cred_ndr_blob != NULL) { - cred_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (cred_blob == NULL) { - return NT_STATUS_NO_MEMORY; - } + nt_status = samba_get_logon_info_pac_blob(logon_blob, + user_info_dc, + NULL, + group_inclusion, + logon_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Building PAC LOGON INFO failed: %s\n", + nt_errstr(nt_status)); + return nt_status; } - upn_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (upn_blob == NULL) { + *_logon_info_blob = logon_blob; + + return NT_STATUS_OK; +} + +NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx, + const struct samba_kdc_entry *p, + DATA_BLOB **_cred_ndr_blob) +{ + DATA_BLOB *cred_blob = NULL; + NTSTATUS nt_status; + + SMB_ASSERT(_cred_ndr_blob != NULL); + + *_cred_ndr_blob = NULL; + + cred_blob = talloc_zero(mem_ctx, DATA_BLOB); + if (cred_blob == NULL) { return NT_STATUS_NO_MEMORY; } - if (_pac_attrs_blob != NULL) { - pac_attrs_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (pac_attrs_blob == NULL) { - return NT_STATUS_NO_MEMORY; - } + nt_status = samba_get_cred_info_ndr_blob(cred_blob, + p->msg, + cred_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Building PAC CRED INFO failed: %s\n", + nt_errstr(nt_status)); + return nt_status; } - if (_requester_sid_blob != NULL) { - requester_sid_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (requester_sid_blob == NULL) { - return NT_STATUS_NO_MEMORY; - } - } + *_cred_ndr_blob = cred_blob; - if (_client_claims_blob != NULL) { - /* - * Until we support claims we just - * return an empty blob, - * that matches what Windows is doing - * without defined claims - */ - client_claims_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (client_claims_blob == NULL) { - return NT_STATUS_NO_MEMORY; - } + return NT_STATUS_OK; +} + +NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + DATA_BLOB **_upn_info_blob) +{ + DATA_BLOB *upn_blob = NULL; + NTSTATUS nt_status; + + *_upn_info_blob = NULL; + + upn_blob = talloc_zero(mem_ctx, DATA_BLOB); + if (upn_blob == NULL) { + return NT_STATUS_NO_MEMORY; } - nt_status = samba_kdc_get_user_info_from_db(p, - p->msg, - &user_info_dc); + nt_status = samba_get_upn_info_pac_blob(upn_blob, + user_info_dc, + upn_blob); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Getting user info for PAC failed: %s\n", + DEBUG(0, ("Building PAC UPN INFO failed: %s\n", nt_errstr(nt_status))); return nt_status; } - nt_status = samba_add_asserted_identity(mem_ctx, - asserted_identity, - user_info_dc); + *_upn_info_blob = upn_blob; + + return NT_STATUS_OK; +} + +NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx, + uint64_t pac_attributes, -- Samba Shared Repository