I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5c580dbdb3e6a70c8d2f5059e2b7293a7e780414)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477
static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
{
- krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r);
const KDC_REQ *req = kdc_request_get_req(r);
const PA_DATA *pa_for_user = NULL;
return false;
}
- if (config->enable_fast && req->padata != NULL) {
- const PA_DATA *pa_fx_fast = NULL;
- int idx = 0;
-
- pa_fx_fast = krb5_find_padata(req->padata->val,
- req->padata->len,
- KRB5_PADATA_FX_FAST,
- &idx);
- if (pa_fx_fast != NULL) {
- /*
- * We're in the outer request
- * with KRB5_PADATA_FX_FAST
- * if fast is enabled we'll
- * process the s4u2self
- * request only in the
- * inner request.
- */
- return false;
- }
- }
-
if (req->padata != NULL) {
int idx = 0;