The branch, master has been updated
via 7e3cbc2c641 s4:kdc: Fix typo
via 9d59e42a2ba s4:kdc: Split samba_kdc_get_pac_blobs() into smaller
functions
via c7b00ccc76f s4:kdc: Rename claims_blob to client_claims_blob
via fbed57b86bc s4:kdc: Fix leak
via 9c4f7e4b339 s4:kdc: Don't modify cached user_info_dc SIDs
via c62937822d8 s4:kdc: Don't check PAC-OPTIONS claims-supported bit
via 3e97ea3f35e s4:kdc: Have samba_kdc_update_pac() take device
parameters
via a326aec4c04 s4:kdc: Don't pass a NULL pointer to
krb5_pac_add_buffer()
via 1a625702e81 libcli/security: Correctly handle ACL deletion
via 545b40a70b0 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty
via 211d19a04c3 ldb: Don't create error string if there is no error
from 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils
helpers
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7e3cbc2c6418a876ab4770f1fd5ff12e8c8dae9d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Mar 21 09:43:01 2023 +1300
s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224
commit 9d59e42a2bacf53eda99f0a3d96f9ce4088b1ddc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Mar 20 15:16:21 2023 +1300
s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions
Instead of having one large function that returns every PAC blob, we now
have a more manageable assortment of smaller functions that each return
one blob.
That gives us more fine-grained handling of PAC blobs, with callers now
able to procure only the specific blobs that they need.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c7b00ccc76f4a055dd761c929c23b014b214c4f5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Mar 20 15:13:39 2023 +1300
s4:kdc: Rename claims_blob to client_claims_blob
This will not be the only claims blob. Later there will also be a
device_claims_blob.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fbed57b86bc5b358a7373c134ce26a012b4280ef
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Mar 20 15:11:54 2023 +1300
s4:kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 9c4f7e4b339d6ed5ed1030f87c9a871b06987265
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Mar 20 15:02:53 2023 +1300
s4:kdc: Don't modify cached user_info_dc SIDs
samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure
obtained from samba_kdc_get_user_info_from_db() into
samba_add_asserted_identity(). The latter function modifies the SIDs of
the user_info_dc structure in order to add the Asserted Identity SID,
but samba_kdc_get_user_info_from_db() actually caches that structure
internally, meaning that subsequent calls will return the modified
structure.
We should not modify cached SIDs, so have
samba_kdc_get_user_info_from_db() return a pointer to constant data, and
copy the returned array of SIDs before adding the Asserted Identity SID.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c62937822d8d814a70d32efab93be721791c57f0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 17 11:57:09 2023 +1300
s4:kdc: Don't check PAC-OPTIONS claims-supported bit
Windows only consults the PAC-OPTIONS claims bit to find out whether or
not to add claims to the PAC if the ClaimsCompIdFASTSupport option is
set to 1. If this option is set to 2 or 3, the bit is ignored and claims
are always added.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3e97ea3f35e3d147b491bb2da959b0f8a6207835
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 17 11:14:15 2023 +1300
s4:kdc: Have samba_kdc_update_pac() take device parameters
These will be used later when we add support for compound
authentication.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a326aec4c0495200d05ab8b2310f23199058167a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 17 11:07:11 2023 +1300
s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer()
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1a625702e81ef2a6bd38c486e3056ce61da800e8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Mar 13 10:09:15 2023 +1300
libcli/security: Correctly handle ACL deletion
If there were two consecutive occurrences of an ACL to be deleted, we
would miss the second one.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 545b40a70b02141ed292ddd3ff63d1f62070bb85
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Mar 8 09:24:49 2023 +1300
s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty
We weren't doing anything with the passed-in 'el' afterwards, so this
was just confusing.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 211d19a04c303ad264e3d155ce9bee242789cf62
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Mar 8 09:23:00 2023 +1300
ldb: Don't create error string if there is no error
We should only do this in the LDB_ERR_NO_SUCH_ATTRIBUTE case.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/ldb_key_value/ldb_kv.c | 15 +-
libcli/security/security_descriptor.c | 1 +
source4/auth/session.c | 2 +-
source4/auth/session.h | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 2 +-
source4/kdc/db-glue.c | 4 +-
source4/kdc/mit_samba.c | 70 +++-
source4/kdc/pac-glue.c | 440 ++++++++++++++++--------
source4/kdc/pac-glue.h | 45 ++-
source4/kdc/wdc-samba4.c | 133 ++++---
10 files changed, 457 insertions(+), 257 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c
index aea6f0c1be0..4c153b21c31 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.c
+++ b/lib/ldb/ldb_key_value/ldb_kv.c
@@ -1289,13 +1289,14 @@ int ldb_kv_modify_internal(struct ldb_module *module,
ldb_kv,
msg2,
msg->elements[i].name);
- if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE &&
- control_permissive) {
- ret = LDB_SUCCESS;
- } else {
- ldb_asprintf_errstring(ldb,
- "attribute '%s':
no such attribute for delete on '%s'",
-
msg->elements[i].name, dn);
+ if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ if (control_permissive) {
+ ret = LDB_SUCCESS;
+ } else {
+ ldb_asprintf_errstring(ldb,
+
"attribute '%s': no such attribute for delete on '%s'",
+
msg->elements[i].name, dn);
+ }
}
if (ret != LDB_SUCCESS) {
goto done;
diff --git a/libcli/security/security_descriptor.c
b/libcli/security/security_descriptor.c
index d6a7eda611b..ebc5c8f1f45 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -414,6 +414,7 @@ static NTSTATUS security_descriptor_acl_del(struct
security_descriptor *sd,
acl->aces = NULL;
}
found = true;
+ --i;
}
}
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 4b9a0058dd5..2e28bc15c6d 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -52,7 +52,7 @@ _PUBLIC_ struct auth_session_info
*anonymous_session(TALLOC_CTX *mem_ctx,
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
/* Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /*
Optional, if you don't want local groups */
- struct auth_user_info_dc
*user_info_dc,
+ const struct auth_user_info_dc
*user_info_dc,
uint32_t session_info_flags,
struct auth_session_info
**_session_info)
{
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 97a8aba0f14..2d42396a556 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -39,7 +39,7 @@ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /*
Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /* Optional,
if you don't want local groups */
- struct auth_user_info_dc *interim_info,
+ const struct auth_user_info_dc
*interim_info,
uint32_t session_info_flags,
struct auth_session_info **session_info);
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 175a02d3ba7..cb32d190dce 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -4712,7 +4712,7 @@ static int replmd_delete_internals(struct ldb_module
*module, struct ldb_request
*/
dsdb_flags |= DSDB_REPLMD_VANISH_LINKS;
}
- ret = ldb_msg_add_empty(msg, el->name,
LDB_FLAG_MOD_DELETE, &el);
+ ret = ldb_msg_add_empty(msg, el->name,
LDB_FLAG_MOD_DELETE, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
ldb_module_oom(module);
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 7a048a6a418..55286f04c85 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1394,7 +1394,7 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags &
SDB_F_FOR_AS_REQ)) {
int result;
- struct auth_user_info_dc *user_info_dc = NULL;
+ const struct auth_user_info_dc *user_info_dc = NULL;
/*
* These protections only apply to clients, so servers in the
* Protected Users group may still have service tickets to them
@@ -1407,7 +1407,7 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
* and computers should never be members of Protected Users, or
* they may fail to authenticate.
*/
- status = samba_kdc_get_user_info_from_db(p, msg, &user_info_dc);
+ status = samba_kdc_get_user_info_from_db(mem_ctx, p, msg,
&user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
ret = EINVAL;
goto out;
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index c3c07926cca..48e4b74efaf 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -464,6 +464,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_pac *pac)
{
TALLOC_CTX *tmp_ctx;
+ struct auth_user_info_dc user_info_dc = {};
DATA_BLOB *logon_info_blob = NULL;
DATA_BLOB *upn_dns_info_blob = NULL;
DATA_BLOB *cred_ndr = NULL;
@@ -511,17 +512,10 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
cred_ndr_ptr = &cred_ndr;
}
- nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
- skdc_entry,
- asserted_identity,
- group_inclusion,
- &logon_info_blob,
- cred_ndr_ptr,
- &upn_dns_info_blob,
- is_krbtgt ? &pac_attrs_blob : NULL,
-
PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
- is_krbtgt ? &requester_sid_blob :
NULL,
- NULL);
+ nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
+ skdc_entry,
+ asserted_identity,
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
if (NT_STATUS_EQUAL(nt_status,
@@ -531,6 +525,51 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
return EINVAL;
}
+ nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
+ &user_info_dc,
+ group_inclusion,
+ &logon_info_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return EINVAL;
+ }
+
+ if (cred_ndr_ptr != NULL) {
+ nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx,
+ skdc_entry,
+ cred_ndr_ptr);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return EINVAL;
+ }
+ }
+
+ nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
+ &user_info_dc,
+ &upn_dns_info_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return EINVAL;
+ }
+
+ if (is_krbtgt) {
+ nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx,
+
PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
+ &pac_attrs_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return EINVAL;
+ }
+
+ nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
+ &user_info_dc,
+
&requester_sid_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return EINVAL;
+ }
+ }
+
if (replaced_reply_key != NULL && cred_ndr != NULL) {
code = samba_kdc_encrypt_pac_credentials(context,
replaced_reply_key,
@@ -651,6 +690,8 @@ krb5_error_code mit_samba_reget_pac(struct
mit_samba_context *ctx,
server_skdc_entry,
krbtgt_skdc_entry,
delegated_proxy_principal,
+ NULL, /* device */
+ NULL, /* device_pac */
*pac,
new_pac);
if (code != 0) {
@@ -752,6 +793,8 @@ krb5_error_code mit_samba_update_pac(struct
mit_samba_context *ctx,
server_skdc_entry,
krbtgt_skdc_entry,
NULL, /* delegated_proxy_principal */
+ NULL, /* device */
+ NULL, /* device_pac */
old_pac,
new_pac);
if (code != 0) {
@@ -970,7 +1013,7 @@ int mit_samba_kpasswd_change_password(struct
mit_samba_context *ctx,
enum samPwdChangeReason reject_reason;
struct samr_DomInfo1 *dominfo;
const char *error_string = NULL;
- struct auth_user_info_dc *user_info_dc;
+ const struct auth_user_info_dc *user_info_dc = NULL;
struct samba_kdc_entry *p =
talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
krb5_error_code code = 0;
@@ -984,7 +1027,8 @@ int mit_samba_kpasswd_change_password(struct
mit_samba_context *ctx,
return ENOMEM;
}
- status = samba_kdc_get_user_info_from_db(p,
+ status = samba_kdc_get_user_info_from_db(tmp_ctx,
+ p,
p->msg,
&user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 97dac1bc79e..1fcc79a2e62 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -299,8 +299,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *info,
const struct PAC_DOMAIN_GROUP_MEMBERSHIP
*override_resource_groups,
const enum auth_group_inclusion
group_inclusion,
- DATA_BLOB *pac_data,
- DATA_BLOB *requester_sid_blob)
+ DATA_BLOB *pac_data)
{
struct netr_SamInfo3 *info3 = NULL;
struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL;
@@ -312,9 +311,6 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(pac_info);
*pac_data = data_blob_null;
- if (requester_sid_blob != NULL) {
- *requester_sid_blob = data_blob_null;
- }
if (override_resource_groups == NULL) {
resource_groups = &_resource_groups;
@@ -375,6 +371,21 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
return nt_status;
}
+ return NT_STATUS_OK;
+}
+
+static
+NTSTATUS samba_get_requester_sid_pac_blob(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *info,
+ DATA_BLOB *requester_sid_blob)
+{
+ enum ndr_err_code ndr_err;
+ NTSTATUS nt_status;
+
+ if (requester_sid_blob != NULL) {
+ *requester_sid_blob = data_blob_null;
+ }
+
if (requester_sid_blob != NULL && info->num_sids > 0) {
union PAC_INFO pac_requester_sid;
@@ -819,10 +830,8 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
{
krb5_data logon_data;
krb5_error_code ret;
-#ifdef SAMBA4_USES_HEIMDAL
char null_byte = '\0';
krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
-#endif
/* The user account may be set not to want the PAC */
if (logon_blob == NULL) {
@@ -846,10 +855,19 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
}
if (client_claims_blob != NULL) {
- krb5_data client_claims_data =
smb_krb5_data_from_blob(*client_claims_blob);
+ krb5_data client_claims_data;
+ krb5_data *data = NULL;
+
+ if (client_claims_blob->length != 0) {
+ client_claims_data =
smb_krb5_data_from_blob(*client_claims_blob);
+ data = &client_claims_data;
+ } else {
+ data = &null_data;
+ }
+
ret = krb5_pac_add_buffer(context, pac,
PAC_TYPE_CLIENT_CLAIMS_INFO,
- &client_claims_data);
+ data);
if (ret != 0) {
return ret;
}
@@ -1071,7 +1089,8 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
*/
static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
enum samba_asserted_identity ai,
- struct auth_user_info_dc
*user_info_dc)
+ struct auth_SidAttr **sids,
+ uint32_t *num_sids)
{
struct dom_sid ai_sid;
const char *sid_str = NULL;
@@ -1090,11 +1109,11 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX
*mem_ctx,
dom_sid_parse(sid_str, &ai_sid);
return add_sid_to_array_attrs_unique(
- user_info_dc,
+ mem_ctx,
&ai_sid,
SE_GROUP_DEFAULT_FLAGS,
- &user_info_dc->sids,
- &user_info_dc->num_sids);
+ sids,
+ num_sids);
}
/*
@@ -1102,9 +1121,10 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX
*mem_ctx,
* structure. If the resulting structure is not talloc_free()d, it will be
* reused on future calls to this function.
*/
-NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
+NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
+ struct samba_kdc_entry *skdc_entry,
const struct ldb_message *msg,
- struct auth_user_info_dc
**user_info_dc)
+ const struct auth_user_info_dc
**user_info_dc)
{
if (skdc_entry->user_info_dc == NULL) {
NTSTATUS nt_status;
@@ -1129,161 +1149,227 @@ NTSTATUS samba_kdc_get_user_info_from_db(struct
samba_kdc_entry *skdc_entry,
return NT_STATUS_OK;
}
-NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
- struct samba_kdc_entry *p,
- enum samba_asserted_identity asserted_identity,
- const enum auth_group_inclusion
group_inclusion,
- DATA_BLOB **_logon_info_blob,
- DATA_BLOB **_cred_ndr_blob,
- DATA_BLOB **_upn_info_blob,
- DATA_BLOB **_pac_attrs_blob,
- uint64_t pac_attributes,
- DATA_BLOB **_requester_sid_blob,
- DATA_BLOB **_client_claims_blob)
+NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc
*user_info_dc,
+ const enum auth_group_inclusion
group_inclusion,
+ DATA_BLOB **_logon_info_blob)
{
- struct auth_user_info_dc *user_info_dc = NULL;
DATA_BLOB *logon_blob = NULL;
- DATA_BLOB *cred_blob = NULL;
- DATA_BLOB *upn_blob = NULL;
- DATA_BLOB *pac_attrs_blob = NULL;
- DATA_BLOB *requester_sid_blob = NULL;
- DATA_BLOB *client_claims_blob = NULL;
NTSTATUS nt_status;
*_logon_info_blob = NULL;
- if (_cred_ndr_blob != NULL) {
- *_cred_ndr_blob = NULL;
- }
- *_upn_info_blob = NULL;
- if (_pac_attrs_blob != NULL) {
- *_pac_attrs_blob = NULL;
- }
- if (_requester_sid_blob != NULL) {
- *_requester_sid_blob = NULL;
- }
- if (_client_claims_blob != NULL) {
- *_client_claims_blob = NULL;
- }
logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
if (logon_blob == NULL) {
return NT_STATUS_NO_MEMORY;
}
- if (_cred_ndr_blob != NULL) {
- cred_blob = talloc_zero(mem_ctx, DATA_BLOB);
- if (cred_blob == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ nt_status = samba_get_logon_info_pac_blob(logon_blob,
+ user_info_dc,
+ NULL,
+ group_inclusion,
+ logon_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_ERR("Building PAC LOGON INFO failed: %s\n",
+ nt_errstr(nt_status));
+ return nt_status;
}
- upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
- if (upn_blob == NULL) {
+ *_logon_info_blob = logon_blob;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx,
+ const struct samba_kdc_entry *p,
+ DATA_BLOB **_cred_ndr_blob)
+{
+ DATA_BLOB *cred_blob = NULL;
+ NTSTATUS nt_status;
+
+ SMB_ASSERT(_cred_ndr_blob != NULL);
+
+ *_cred_ndr_blob = NULL;
+
+ cred_blob = talloc_zero(mem_ctx, DATA_BLOB);
+ if (cred_blob == NULL) {
return NT_STATUS_NO_MEMORY;
}
- if (_pac_attrs_blob != NULL) {
- pac_attrs_blob = talloc_zero(mem_ctx, DATA_BLOB);
- if (pac_attrs_blob == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ nt_status = samba_get_cred_info_ndr_blob(cred_blob,
+ p->msg,
+ cred_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_ERR("Building PAC CRED INFO failed: %s\n",
+ nt_errstr(nt_status));
+ return nt_status;
}
- if (_requester_sid_blob != NULL) {
- requester_sid_blob = talloc_zero(mem_ctx, DATA_BLOB);
- if (requester_sid_blob == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- }
+ *_cred_ndr_blob = cred_blob;
- if (_client_claims_blob != NULL) {
- /*
- * Until we support claims we just
- * return an empty blob,
- * that matches what Windows is doing
- * without defined claims
- */
- client_claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
- if (client_claims_blob == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ return NT_STATUS_OK;
+}
+
+NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc
*user_info_dc,
+ DATA_BLOB **_upn_info_blob)
+{
+ DATA_BLOB *upn_blob = NULL;
+ NTSTATUS nt_status;
+
+ *_upn_info_blob = NULL;
+
+ upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
+ if (upn_blob == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- nt_status = samba_kdc_get_user_info_from_db(p,
- p->msg,
- &user_info_dc);
+ nt_status = samba_get_upn_info_pac_blob(upn_blob,
+ user_info_dc,
+ upn_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Getting user info for PAC failed: %s\n",
+ DEBUG(0, ("Building PAC UPN INFO failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
- nt_status = samba_add_asserted_identity(mem_ctx,
- asserted_identity,
- user_info_dc);
+ *_upn_info_blob = upn_blob;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
+ uint64_t pac_attributes,
--
Samba Shared Repository
