s4:mitkdc: Add support for pac_attrs and requester_sid

author Andreas Schneider <asn@samba.org>

Mon, 13 Dec 2021 07:33:05 +0000 (08:33 +0100)

committer Andrew Bartlett <abartlet@samba.org>

Wed, 15 Dec 2021 03:41:32 +0000 (03:41 +0000)
author Andreas Schneider <asn@samba.org>
Mon, 13 Dec 2021 07:33:05 +0000 (08:33 +0100)
committer Andrew Bartlett <abartlet@samba.org>
Wed, 15 Dec 2021 03:41:32 +0000 (03:41 +0000)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc

index 964fcddbf6630abedfd365f457ded36529e7db00..79c1219e2d5e0142c5fe9dac3fab48effac7f4f9 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -425,7 +425,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied
@@ -492,7 +491,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied
@@ -510,14 +508,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  #
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_false
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_true
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_false
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_none
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_true
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none
@@ -539,21 +534,14 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  #
  # PAC requester SID tests
  #
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_as_requester_sid
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_existing
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid\(
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_renew
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_validate
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c

index 336aa3f711a95de11c4c189d1c62a6206b315fca..8af7329d369f31aec77182f679a7d4bdb1875225 100644 (file)
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -165,6 +165,7 @@ done:
  
  static krb5_error_code ks_get_pac(krb5_context context,
                                   krb5_db_entry *client,
+                                 krb5_db_entry *server,
                                   krb5_keyblock *client_key,
                                   krb5_pac *pac)
  {
@@ -179,6 +180,7 @@ static krb5_error_code ks_get_pac(krb5_context context,
         code = mit_samba_get_pac(mit_ctx,
                                  context,
                                  client,
+                                server,
                                  client_key,
                                  pac);
         if (code != 0) {
@@ -426,7 +428,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
          */
         if (with_pac && generate_pac) {
                 DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name);
-               code = ks_get_pac(context, client_entry, client_key, &pac);
+               code = ks_get_pac(context,
+                                 client_entry,
+                                 server,
+                                 client_key,
+                                 &pac);
                 if (code != 0) {
                         goto done;
                 }
@@ -477,6 +483,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
  
                                 code = ks_get_pac(context,
                                                   client_entry,
+                                                 server,
                                                   client_key,
                                                   &pac);
                                 if (code != 0 && code != ENOENT) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index 729b646bd88ac229f68093d316ae3f321a78bbb7..748a5f6e30c4bbd80b2dd585171077faa0adbafc 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -433,6 +433,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx,
  int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                       krb5_context context,
                       krb5_db_entry *client,
+                     krb5_db_entry *server,
                       krb5_keyblock *client_key,
                       krb5_pac *pac)
  {
@@ -443,9 +444,12 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
         DATA_BLOB **cred_ndr_ptr = NULL;
         DATA_BLOB cred_blob = data_blob_null;
         DATA_BLOB *pcred_blob = NULL;
+       DATA_BLOB *pac_attrs_blob = NULL;
+       DATA_BLOB *requester_sid_blob = NULL;
         NTSTATUS nt_status;
         krb5_error_code code;
         struct samba_kdc_entry *skdc_entry;
+       bool is_krbtgt;
  
         skdc_entry = talloc_get_type_abort(client->e_data,
                                            struct samba_kdc_entry);
@@ -464,12 +468,16 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
         }
  #endif
  
+       is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ);
+
         nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
                                             skdc_entry,
                                             &logon_info_blob,
                                             cred_ndr_ptr,
                                             &upn_dns_info_blob,
-                                           NULL, NULL, NULL,
+                                           is_krbtgt ? &pac_attrs_blob : NULL,
+                                           NULL,
+                                           is_krbtgt ? &requester_sid_blob : NULL,
                                             NULL);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 talloc_free(tmp_ctx);
@@ -497,8 +505,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                    logon_info_blob,
                                    pcred_blob,
                                    upn_dns_info_blob,
-                                  NULL,
-                                  NULL,
+                                  pac_attrs_blob,
+                                  requester_sid_blob,
                                    NULL,
                                    pac);
  
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h

index 636c77ec97cbe35cbb1536c0a8196de0c7ea1872..4431e82a1b2ec449f85582c0661635ed709eaebc 100644 (file)
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -50,6 +50,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx,
  int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                       krb5_context context,
                       krb5_db_entry *client,
+                     krb5_db_entry *server,
                       krb5_keyblock *client_key,
                       krb5_pac *pac);
author	Andreas Schneider <asn@samba.org>
	Mon, 13 Dec 2021 07:33:05 +0000 (08:33 +0100)
committer	Andrew Bartlett <abartlet@samba.org>
	Wed, 15 Dec 2021 03:41:32 +0000 (03:41 +0000)
selftest/knownfail_mit_kdc		patch \| blob \| history
source4/kdc/mit-kdb/kdb_samba_policies.c		patch \| blob \| history
source4/kdc/mit_samba.c		patch \| blob \| history
source4/kdc/mit_samba.h		patch \| blob \| history