The branch, master has been updated
via b0524830aaf s4:kdc: don't log an error if
msDS-AllowedToActOnBehalfOfOtherIdentity is missing
via e9367887123 s4:kdc: Include default groups in security token
via 34760dfc89e s4:kdc: Implement Heimdal hook for resource-based
constrained delegation
via fc33033bacf tests/krb5: Adjust authentication policy RBCD tests to
expect appropriate failure statuses
via fcfdb44381f tests/krb5: Be less strict regarding acceptable
delegation error codes
via 0e43d11e39b s4:kdc: Remove useless sdb → hdb error code translation
via 7e76f36d918 s4:kdc: Initialize pointers with NULL
via 3784bca73e0 third_party/heimdal: Import
lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325)
from de2738fb9a7 smbd: Don't mask open error if fstatat() fails
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b0524830aaf0ccf7dc2efbe66d2bf38b509c0143
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 23 11:51:47 2023 +0200
s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is
missing
We log a warnings if access is not granted from a security descriptor in
msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log
level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at
all.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224
commit e9367887123ce43c55a7ab436afe659900bdc532
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:50:18 2023 +1200
s4:kdc: Include default groups in security token
This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 34760dfc89e879a889d64b48c606ccbaf10e8ba3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 14:22:15 2023 +1200
s4:kdc: Implement Heimdal hook for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fc33033bacfe9f800678bd41977d3a20f5072bc0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:48:58 2023 +1200
tests/krb5: Adjust authentication policy RBCD tests to expect appropriate
failure statuses
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fcfdb44381f60007679b5cdcff44b4aaf866b376
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:46:03 2023 +1200
tests/krb5: Be less strict regarding acceptable delegation error codes
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 0e43d11e39bf57dccebd661e028a717be2b8803c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:41:05 2023 +1200
s4:kdc: Remove useless sdb → hdb error code translation
samba_kdc_check_s4u2proxy() is never going to return an SDB_* error
code, so these conditions can never be hit.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7e76f36d91866d4e91aabf38c9b97c3cf78e63e2
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:40:03 2023 +1200
s4:kdc: Initialize pointers with NULL
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 3784bca73e0f4c14cfcc7d34ec67f25f193747e7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 20 16:33:17 2023 +1200
third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit
fc2894beeaa71897753975154a5f7fd80b923325)
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/authn_policy_tests.py | 40 +++++++-----
python/samba/tests/krb5/s4u_tests.py | 36 +++++++----
selftest/knownfail_heimdal_kdc | 23 -------
source4/kdc/db-glue.c | 12 ++--
source4/kdc/hdb-samba4.c | 50 ++++++++-------
third_party/heimdal/kdc/mssfu.c | 87 +++++++++++++++++++++++++--
third_party/heimdal/lib/hdb/hdb.h | 5 ++
7 files changed, 171 insertions(+), 82 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/authn_policy_tests.py
b/python/samba/tests/krb5/authn_policy_tests.py
index 5ffdba41e99..b2625cc4013 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -5382,18 +5382,24 @@ class AuthnPolicyTests(AuthLogTestBase,
KdcTgsBaseTests):
self.discardMessages()
# Show that obtaining a service ticket with RBCD is not allowed.
- self._tgs_req(service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
- armor_tgt=mach_tgt,
- kdc_options=kdc_options,
- pac_options='1001', # supports claims, RBCD
- additional_ticket=client_service_tkt,
- decryption_key=target_decryption_key,
- expect_edata=self.expect_padata_outer,
- check_patypes=False)
+ self._tgs_req(
+ service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
+ armor_tgt=mach_tgt,
+ kdc_options=kdc_options,
+ pac_options='1001', # supports claims, RBCD
+ additional_ticket=client_service_tkt,
+ decryption_key=target_decryption_key,
+ expect_edata=self.expect_padata_outer,
+ expected_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ check_patypes=False)
- self.check_tgs_log(client_creds, target_creds,
- policy=policy,
- checked_creds=service_creds)
+ self.check_tgs_log(
+ service_creds, target_creds,
+ policy=policy,
+ checked_creds=service_creds,
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED)
def test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname(self):
samdb = self.get_samdb()
@@ -5460,8 +5466,9 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
expect_edata=self.expect_padata_outer,
check_patypes=False)
- self.check_tgs_log(client_creds, target_creds,
- checked_creds=service_creds)
+ self.check_tgs_log(service_creds, target_creds,
+ checked_creds=service_creds,
+ status=ntstatus.NT_STATUS_UNSUCCESSFUL)
def
test_authn_policy_allowed_to_user_allow_constrained_delegation_to_self(self):
samdb = self.get_samdb()
@@ -5974,8 +5981,11 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
expect_edata=self.expect_padata_outer,
check_patypes=False)
- self.check_tgs_log(client_creds, service_creds,
- policy=policy,
+ self.check_tgs_log(service_creds, service_creds,
+ # The failure is not due to a policy error, so no
+ # policy appears in the logs.
+ policy=None,
+ status=ntstatus.NT_STATUS_UNSUCCESSFUL,
checked_creds=service_creds)
def test_authn_policy_allowed_to_computer_allow_user2user(self):
diff --git a/python/samba/tests/krb5/s4u_tests.py
b/python/samba/tests/krb5/s4u_tests.py
index fbd32d00dd1..d91c06c418f 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -1018,7 +1018,8 @@ class S4UKerberosTests(KDCBaseTest):
self._run_delegation_test(
{
'expected_error_mode': (KDC_ERR_MODIFIED,
- KDC_ERR_BADOPTION),
+ KDC_ERR_BADOPTION,
+ KDC_ERR_TGT_REVOKED),
'allow_delegation': True,
'modify_client_tkt_fn': self.remove_ticket_pac,
'expect_edata': False,
@@ -1128,7 +1129,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_MODIFIED,
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_TGT_REVOKED),
# We aren’t particular about whether or not we get an NTSTATUS.
'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED,
@@ -1144,7 +1146,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_MODIFIED,
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_TGT_REVOKED),
# We aren’t particular about whether or not we get an NTSTATUS.
'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NO_MATCH,
@@ -1177,7 +1180,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_MODIFIED,
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_TGT_REVOKED),
# We aren’t particular about whether or not we get an NTSTATUS.
'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED,
@@ -1196,7 +1200,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_MODIFIED,
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_TGT_REVOKED),
# We aren’t particular about whether or not we get an NTSTATUS.
'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NO_MATCH,
@@ -1356,7 +1361,8 @@ class S4UKerberosTests(KDCBaseTest):
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM:
- expected_error_mode = KDC_ERR_MODIFIED
+ expected_error_mode = (KDC_ERR_MODIFIED,
+ KDC_ERR_BADOPTION)
else:
expected_error_mode = KDC_ERR_GENERIC
@@ -1443,7 +1449,8 @@ class S4UKerberosTests(KDCBaseTest):
with self.subTest(checksum=checksum):
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_MODIFIED,
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_BAD_INTEGRITY),
# We aren’t particular about whether or not we get an
# NTSTATUS.
'expect_status': None,
@@ -1462,7 +1469,8 @@ class S4UKerberosTests(KDCBaseTest):
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM:
- expected_error_mode = KDC_ERR_MODIFIED
+ expected_error_mode = (KDC_ERR_MODIFIED,
+ KDC_ERR_BAD_INTEGRITY)
# We aren’t particular about whether or not we get an
# NTSTATUS.
expect_status = None
@@ -1551,9 +1559,11 @@ class S4UKerberosTests(KDCBaseTest):
with self.subTest(checksum=checksum, ctype=ctype):
if (checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM
and ctype == Cksumtype.SHA1):
- expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP
+ expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP,
+ KDC_ERR_INAPP_CKSUM)
else:
- expected_error_mode = KDC_ERR_GENERIC
+ expected_error_mode = (KDC_ERR_GENERIC,
+ KDC_ERR_INAPP_CKSUM)
self._run_delegation_test(
{
@@ -1582,10 +1592,12 @@ class S4UKerberosTests(KDCBaseTest):
# NTSTATUS.
expect_status = None
if ctype == Cksumtype.SHA1:
- expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP
+ expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP,
+ KDC_ERR_INAPP_CKSUM)
expected_status = ntstatus.NT_STATUS_LOGON_FAILURE
else:
- expected_error_mode = KDC_ERR_GENERIC
+ expected_error_mode = (KDC_ERR_GENERIC,
+ KDC_ERR_INAPP_CKSUM)
expected_status = (
ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
else:
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 48a274ab243..61b00aa0200 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -22,25 +22,9 @@
#
# S4U tests
#
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
#
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac_no_auth_data_required
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd\(
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
-#
# https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not
revealed to the RODC
#
# The KDC should not accept tickets from an RODC for accounts not in the
msDS-RevealedUsers list.
@@ -79,10 +63,3 @@
#
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_not_allowed_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_rbcd_not_allowed_from.ad_dc
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b99abd18c73..5894b47ecd9 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3352,7 +3352,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
struct security_descriptor *rbcd_security_descriptor = NULL;
struct auth_user_info_dc *user_info_dc = NULL;
struct security_token *security_token = NULL;
- uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ uint32_t session_info_flags =
+ AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
/*
* Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
* in security descriptors it creates for RBCD, its KDC only requires
@@ -3447,10 +3449,10 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
data = ldb_msg_find_ldb_val(proxy_skdc_entry->msg,
"msDS-AllowedToActOnBehalfOfOtherIdentity");
if (data == NULL) {
- DBG_ERR("Could not find security descriptor "
- "msDS-AllowedToActOnBehalfOfOtherIdentity in "
- "proxy[%s]\n",
- proxy_dn);
+ DBG_WARNING("Could not find security descriptor "
+ "msDS-AllowedToActOnBehalfOfOtherIdentity in "
+ "proxy[%s]\n",
+ proxy_dn);
code = KRB5KDC_ERR_BADOPTION;
goto out;
}
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index ae6ce914917..482b546d019 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -303,35 +303,40 @@ hdb_samba4_check_constrained_delegation(krb5_context
context, HDB *db,
hdb_entry *entry,
krb5_const_principal target_principal)
{
- struct samba_kdc_db_context *kdc_db_ctx;
- struct samba_kdc_entry *skdc_entry;
- krb5_error_code ret;
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+ struct samba_kdc_entry *skdc_entry = NULL;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
skdc_entry = talloc_get_type_abort(entry->context,
struct samba_kdc_entry);
- ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
- skdc_entry,
- target_principal);
- switch (ret) {
- case 0:
- break;
- case SDB_ERR_WRONG_REALM:
- ret = HDB_ERR_WRONG_REALM;
- break;
- case SDB_ERR_NOENTRY:
- ret = HDB_ERR_NOENTRY;
- break;
- case SDB_ERR_NOT_FOUND_HERE:
- ret = HDB_ERR_NOT_FOUND_HERE;
- break;
- default:
- break;
- }
+ return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
+ skdc_entry,
+ target_principal);
+}
- return ret;
+static krb5_error_code
+hdb_samba4_check_rbcd(krb5_context context, HDB *db,
+ krb5_const_principal client_principal,
+ krb5_const_principal server_principal,
+ krb5_const_pac header_pac,
+ const hdb_entry *proxy)
+{
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+ struct samba_kdc_entry *proxy_skdc_entry = NULL;
+
+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+ proxy_skdc_entry = talloc_get_type_abort(proxy->context,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy_rbcd(context,
+ kdc_db_ctx,
+ client_principal,
+ server_principal,
+ header_pac,
+ proxy_skdc_entry);
}
static krb5_error_code
@@ -1150,6 +1155,7 @@ NTSTATUS hdb_samba4_create_kdc(struct
samba_kdc_base_context *base_ctx,
(*db)->hdb_audit = hdb_samba4_audit;
(*db)->hdb_check_constrained_delegation =
hdb_samba4_check_constrained_delegation;
+ (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd;
(*db)->hdb_check_pkinit_ms_upn_match =
hdb_samba4_check_pkinit_ms_upn_match;
(*db)->hdb_check_client_matches_target_service =
hdb_samba4_check_client_matches_target_service;
diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c
index c583c9b667d..cd5aa9a1df7 100644
--- a/third_party/heimdal/kdc/mssfu.c
+++ b/third_party/heimdal/kdc/mssfu.c
@@ -96,6 +96,38 @@ check_constrained_delegation(krb5_context context,
return ret;
}
+/*
+ * Determine if resource-based constrained delegation is allowed from this
+ * client to this server
+ */
+
+static krb5_error_code
+check_rbcd(krb5_context context,
+ krb5_kdc_configuration *config,
+ HDB *clientdb,
+ krb5_const_principal s4u_principal,
+ krb5_const_principal client_principal,
+ krb5_const_pac client_pac,
+ const hdb_entry *target)
+{
+ krb5_error_code ret = KRB5KDC_ERR_BADOPTION;
+
+ if (clientdb->hdb_check_rbcd) {
+ ret = clientdb->hdb_check_rbcd(context,
+ clientdb,
+ s4u_principal,
+ client_principal,
+ client_pac,
+ target);
+ if (ret == 0)
+ return 0;
+ }
+
+ kdc_log(context, config, 4,
+ "Bad request for resource-based constrained delegation");
+ return ret;
+}
+
/*
* Validate a protocol transition (S4U2Self) request. If successfully
* validated then the client in the request structure will be replaced
@@ -350,6 +382,9 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
Key *clientkey;
Ticket *t;
krb5_const_realm local_realm;
+ const PA_DATA *pac_options_data = NULL;
+ int pac_options_data_idx = 0;
+ krb5_boolean rbcd_support = FALSE;
memset(&evidence_tkt, 0, sizeof(evidence_tkt));
local_realm =
@@ -457,13 +492,55 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
goto out;
}
- ret = check_constrained_delegation(r->context, r->config, r->clientdb,
- r->client, r->server, r->server_princ);
- if (ret) {
+ pac_options_data = _kdc_find_padata(&r->req,
+ &pac_options_data_idx,
+ KRB5_PADATA_PAC_OPTIONS);
+ if (pac_options_data != NULL) {
+ PA_PAC_OPTIONS pac_options;
+ size_t size = 0;
+
+ ret = decode_PA_PAC_OPTIONS(pac_options_data->padata_value.data,
+ pac_options_data->padata_value.length,
+ &pac_options,
+ &size);
+ if (ret) {
+ goto out;
+ }
+
+ if (size != pac_options_data->padata_value.length) {
+ free_PA_PAC_OPTIONS(&pac_options);
+ ret = KRB5KDC_ERR_BADOPTION;
+ goto out;
+ }
+
+ rbcd_support = pac_options.flags.resource_based_constrained_delegation
!= 0;
+
+ free_PA_PAC_OPTIONS(&pac_options);
+ }
+
+ if (rbcd_support) {
+ ret = check_rbcd(r->context, r->config, r->clientdb,
+ s4u_client_name, r->client_princ, r->pac, r->server);
+ } else {
+ ret = KRB5KDC_ERR_BADOPTION;
+ }
+ if (ret == KRB5KDC_ERR_BADOPTION) {
+ /* RBCD was denied or not supported; try constrained delegation. */
+ ret = check_constrained_delegation(r->context, r->config, r->clientdb,
+ r->client, r->server,
r->server_princ);
+ if (ret) {
+ kdc_audit_addreason((kdc_request_t)r,
+ "Constrained delegation not allowed");
+ kdc_log(r->context, r->config, 4,
+ "constrained delegation from %s (%s) as %s to %s not
allowed",
+ r->cname, s4usname, s4ucname, r->sname);
+ goto out;
+ }
+ } else if (ret) {
kdc_audit_addreason((kdc_request_t)r,
- "Constrained delegation not allowed");
+ "Resource-based constrained delegation not
allowed");
kdc_log(r->context, r->config, 4,
- "constrained delegation from %s (%s) as %s to %s not allowed",
+ "resource-based constrained delegation from %s (%s) as %s to %s
not allowed",
r->cname, s4usname, s4ucname, r->sname);
goto out;
}
diff --git a/third_party/heimdal/lib/hdb/hdb.h
b/third_party/heimdal/lib/hdb/hdb.h
index 87377513d54..6534766a18c 100644
--- a/third_party/heimdal/lib/hdb/hdb.h
+++ b/third_party/heimdal/lib/hdb/hdb.h
@@ -286,6 +286,11 @@ typedef struct HDB {
*/
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct
HDB *, hdb_entry *, krb5_const_principal);
+ /**
+ * Check if resource-based constrained delegation (RBCD) is allowed.
+ */
+ krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *,
krb5_const_principal, krb5_const_principal, krb5_const_pac, const hdb_entry *);
+
/**
* Check if this name is an alias for the supplied client for PKINIT
userPrinicpalName logins
*/
--
Samba Shared Repository
