The branch, master has been updated
via 4926da69771 s4:kdc: split access check preparation from the actual
check in samba_kdc_update_pac()
via 4f67f1a6860 s4:kdc: let samba_kdc_get_claims_blob() check
msDS-EgressClaimsTransformationPolicy
via 2e00821766e s4:kdc: let samba_kdc_get_claims_data() check
msDS-IngressClaimsTransformationPolicy
via df30d95694e s4:kdc: also fetch
msDS-[In|E]gressClaimsTransformationPolicy
via 0da3bb7feb9 s4:dsdb/common: add dsdb_trust_get_claims_tf_policy()
via a99ce6c560e s4:kdc: let samba_kdc_update_pac() always call
samba_kdc_get_upn_info_blob()
via a1a0609da25 s4:kdc: let samba_kdc_update_pac() always call
samba_kdc_get_logon_info_blob()
via c8b08ee5085 s4:kdc: also pass override_resource_groups to
samba_kdc_get_logon_info_blob()
via 6cd0297ffeb s4:kdc: move device_{info,claims}_blob generation in
samba_kdc_update_pac()
via 914533d38fc s4:kdc: regenerate the client claims blob in
samba_kdc_update_pac() if needed
via e5591fd0b90 s4:kdc: let samba_kdc_get_claims_data() indicate if
regeneration is needed
via ff5548e4e1b s4:kdc: rewrite the logic in samba_kdc_get_claims_data()
via 93c69dfeb50 s4:kdc: let samba_kdc_get_claims_data_from_pac() return
if a buffer was found
via 3b6ffb47b42 s4:kdc: let samba_kdc_get_pac() use
samba_kdc_get_claims_blob()
via 72459f690e2 s4:kdc: let samba_kdc_get_claims_blob() take struct
claims_data as input.
via 5ada7c17b71 s4:kdc: let samba_kdc_update_pac() always fetch the
user claims
via 4f5be1cd78d s4:kdc: let samba_kdc_update_pac() use
samba_kdc_entry_pac_valid_principal() to check delegated_proxy
via 51d7db7e9f0 s4:kdc: remove useless samba_kdc_get_user_info_dc()
from samba_kdc_get_device_info_blob()
via 94e77288dc5 s4:kdc: move user_info_dc_shallow_copy variable in
samba_kdc_update_pac()
via 593b9c2e9c5 s4:kdc: move samba_kdc_get_user_info_dc() for the
device in samba_kdc_update_pac()
via 9fda646adbd s4:kdc: move samba_kdc_get_user_info_dc() up in
samba_kdc_update_pac()
via 8e0b132c080 s4:kdc: introduce need_device helper variable in
samba_kdc_update_pac()
via e55caa68a55 s4:kdc: make samba_kdc_get_{user_info_dc,claims_data}
static
via 55c47104c14 s4:kdc: pass samba_kdc_entry_pac to
samba_kdc_check_s4u2proxy_rbcd()
via 58df2bd733a s4:kdc: move samba_kdc_check_s4u2proxy_rbcd() from
db-glue to pac-glue
via 4f5946ca0ce s4:kdc: make a lot of pac-glue.c functions static
via c004c32993c s4:kdc: let mit_samba_get_pac() use samba_kdc_get_pac()
via b5628d0f4ac s4:kdc: split out samba_kdc_get_pac() from
samba_wdc_get_pac()
via ddeb85fd728 s4:kdc: don't return ENOENT from
samba_kdc_get_claims_data[_from_pac]
via 6e9d54a9eba s4:kdc: use better variable names in
samba_wdc_check_client_access()
via 4bc5b6f90f9 s4:auth: avoid talloc_reference in
claims_data_encoded_claims_set()
from 2cae470f236 winbindd: find_auth_domain() and
find_lookup_domain_from_name() should handle namespaces
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4926da697714c9cdb3ffcc471d6860635dfbfea4
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 21:42:53 2025 +0100
s4:kdc: split access check preparation from the actual check in
samba_kdc_update_pac()
This allows us to add more access checks later...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Sat Feb 22 23:04:04 UTC 2025 on atb-devel-224
commit 4f67f1a6860d31bdccfd689046d9bda51dc76703
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Feb 15 00:28:18 2025 +0100
s4:kdc: let samba_kdc_get_claims_blob() check
msDS-EgressClaimsTransformationPolicy
For now we only allow the implicit (default) or explicit allow all
policy, as well as a deny all policy.
For all others we return an error in order to indicate the
non-supported configuration.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2e00821766e27622fc7be99fa14ce71d9161500a
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 20:19:48 2025 +0100
s4:kdc: let samba_kdc_get_claims_data() check
msDS-IngressClaimsTransformationPolicy
For now we only allow the implicit (default) or explicit deny all
policy.
For all others we return an error in order to indicate the
non-supported configuration.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit df30d95694e7556b6ec2cc567af5901931ebc3e2
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 23:52:57 2025 +0100
s4:kdc: also fetch msDS-[In|E]gressClaimsTransformationPolicy
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 0da3bb7feb977e3cf0cd9a83de74eb041e997e05
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 00:31:36 2025 +0100
s4:dsdb/common: add dsdb_trust_get_claims_tf_policy()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit a99ce6c560e24c3c6a87bb0d75a573edfe3ee065
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 17:28:42 2025 +0100
s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_upn_info_blob()
There's no reason not to regenerate it, it makes the code more
consistent.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit a1a0609da252bb483776ed060f536b9f8950c799
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 17:25:51 2025 +0100
s4:kdc: let samba_kdc_update_pac() always call
samba_kdc_get_logon_info_blob()
The logic in samba_kdc_get_logon_info_blob() also does
talloc_zero(tmp_ctx, DATA_BLOB) followed by calling
samba_get_logon_info_pac_blob().
So we can always just call samba_kdc_get_logon_info_blob().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c8b08ee508565b930ca751c207792657869a992d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 14:34:14 2025 +0100
s4:kdc: also pass override_resource_groups to
samba_kdc_get_logon_info_blob()
This will make the following changes easier...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6cd0297ffebb8ea19bc6de10cf5de57661876606
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 14:12:27 2025 +0100
s4:kdc: move device_{info,claims}_blob generation in samba_kdc_update_pac()
We should generate the device blobs after generating the client blobs
and also after all access checking.
We also use the samba_kdc_get_claims_blob() helper,
which is currently only a wrapper around
claims_data_encoded_claims_set(), but that will change in future...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 914533d38fcc3f923a9ccc98a5092854f782220a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 14:05:51 2025 +0100
s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if
needed
Note that samba_kdc_get_claims_data() already handles the
samba_kdc_entry_pac_issued_by_trust() case to clear the
claims received from a trusted domain.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit e5591fd0b90ec5e338b62306f4fea78a7e1734bd
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 16:33:59 2025 +0100
s4:kdc: let samba_kdc_get_claims_data() indicate if regeneration is needed
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ff5548e4e1bfc3c2936f8e2742822d32078af9f4
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 16:22:43 2025 +0100
s4:kdc: rewrite the logic in samba_kdc_get_claims_data()
We should also go via samba_kdc_get_claims_data_from_pac()
if the pack was issued by a trust. But for now we still
clear the claims, which is the default if
msDS-IngressClaimsTransformationPolicy is missing
on the trustedDomain object.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 93c69dfeb5099b69f0483463b4a5e3fdd3cfc790
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 16:13:44 2025 +0100
s4:kdc: let samba_kdc_get_claims_data_from_pac() return if a buffer was
found
This will simplify further changes.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 3b6ffb47b42163f1274b7752b57ec353931ed16e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 17:38:19 2025 +0100
s4:kdc: let samba_kdc_get_pac() use samba_kdc_get_claims_blob()
We should avoid calling claims_data_encoded_claims_set() directly,
we'll have to do more than claims_data_encoded_claims_set() in future,
so make sure we always go via the common samba_kdc_get_claims_blob()
helper.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 72459f690e283542b0e2acf7b62e48f2998d5b9d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:55:22 2025 +0100
s4:kdc: let samba_kdc_get_claims_blob() take struct claims_data as input.
It means samba_kdc_update_pac() does not call
samba_kdc_get_claims_data_from_db() twice,
as it's already called by samba_kdc_get_claims_data().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 5ada7c17b71fb60044e74d8773714f10c8a74c23
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:41:50 2025 +0100
s4:kdc: let samba_kdc_update_pac() always fetch the user claims
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 4f5be1cd78d97f5741360b9ce31f5d787a9ebb60
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:35:51 2025 +0100
s4:kdc: let samba_kdc_update_pac() use
samba_kdc_entry_pac_valid_principal() to check delegated_proxy
This might not be needed, but it's more consistent.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 51d7db7e9f06eea6711aba3091b87c7999049ec0
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:28:56 2025 +0100
s4:kdc: remove useless samba_kdc_get_user_info_dc() from
samba_kdc_get_device_info_blob()
There's no need to call it again if the caller already did.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 94e77288dc5ab83e38a71e7c26a3555724db4c6e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:23:55 2025 +0100
s4:kdc: move user_info_dc_shallow_copy variable in samba_kdc_update_pac()
This is only needed as tmp variable in the if block...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 593b9c2e9c589b7853609eaddf57afdd01580e9d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 13:21:47 2025 +0100
s4:kdc: move samba_kdc_get_user_info_dc() for the device in
samba_kdc_update_pac()
We should can already call this in the 'need_device' branch, then
it can be reused later.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 9fda646adbd6e67374dd98e12842c17c4a7fbd8b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Feb 18 17:00:01 2025 +0100
s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac()
This will make further changes easier.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 8e0b132c080e91f9a8b7b8a5160ab49acac2d50e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 12:34:12 2025 +0100
s4:kdc: introduce need_device helper variable in samba_kdc_update_pac()
Also use samba_kdc_entry_pac_valid_principal() in order to catch
all conditions for a valid device. For principals issued by
trusted domains there's no device.entry pointer!
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit e55caa68a5507b5ab6130bfafef4c0bd521144a7
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 16:00:23 2025 +0100
s4:kdc: make samba_kdc_get_{user_info_dc,claims_data} static
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 55c47104c1430a6feb1719949c0fad6a4a767b11
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 15:16:19 2025 +0100
s4:kdc: pass samba_kdc_entry_pac to samba_kdc_check_s4u2proxy_rbcd()
This simplifies and unifies the callers.
For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.
Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.
For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 58df2bd733a351a91ef840d100faec83a0068c25
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 15:04:08 2025 +0100
s4:kdc: move samba_kdc_check_s4u2proxy_rbcd() from db-glue to pac-glue
This will allow us to make more functions static in the next steps.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 4f5946ca0cec32268be4613cd1fd587075f9091d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 17:00:36 2025 +0100
s4:kdc: make a lot of pac-glue.c functions static
This makes the code base less confusing (at least for me).
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit c004c32993c452f6e97dc7b1b0093f5e98eaef01
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 16:32:33 2025 +0100
s4:kdc: let mit_samba_get_pac() use samba_kdc_get_pac()
It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting
a PAC
We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit b5628d0f4ac245d91dd29f05f26433e3db7087a0
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 15:15:39 2025 +0100
s4:kdc: split out samba_kdc_get_pac() from samba_wdc_get_pac()
samba_kdc_get_pac() will be re-used by mit_samba_get_pac() in
the next step.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ddeb85fd7285224a5b39ae2cfa40a750191ad84e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Feb 20 14:23:05 2025 +0100
s4:kdc: don't return ENOENT from samba_kdc_get_claims_data[_from_pac]
This will matter in the next commits.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6e9d54a9eba9ca6d5fe830f8291111ae7925c416
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 11:48:55 2025 +0100
s4:kdc: use better variable names in samba_wdc_check_client_access()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 4bc5b6f90f9bf4bba2a9d2d39c31ae9a0d34bf52
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 19 15:25:50 2025 +0100
s4:auth: avoid talloc_reference in claims_data_encoded_claims_set()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail_mit_kdc.d/authn-policy | 4 -
source4/auth/session.c | 14 +-
source4/dsdb/common/util_trusts.c | 110 +++
source4/dsdb/samdb/samdb.h | 1 +
source4/kdc/db-glue.c | 177 +----
source4/kdc/db-glue.h | 10 -
source4/kdc/hdb-samba4.c | 50 +-
source4/kdc/mit_samba.c | 223 +-----
source4/kdc/pac-glue.c | 1166 ++++++++++++++++++++++++-----
source4/kdc/pac-glue.h | 106 +--
source4/kdc/wdc-samba4.c | 320 ++------
11 files changed, 1230 insertions(+), 951 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail_mit_kdc.d/authn-policy
b/selftest/knownfail_mit_kdc.d/authn-policy
index 8ebc2e04dea..09988a79992 100644
--- a/selftest/knownfail_mit_kdc.d/authn-policy
+++ b/selftest/knownfail_mit_kdc.d/authn-policy
@@ -40,8 +40,6 @@
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_to_self_with_self.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_allow_user2user.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_as_req_no_fast.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_from_rodc.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_computer_deny_to_self_with_self.ad_dc
@@ -55,7 +53,6 @@
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_allow_from_rodc.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_as_req.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_deny_from_rodc.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_service_derived_class_allow.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow.ad_dc
@@ -75,7 +72,6 @@
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_as_req.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation_to_self.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_from_rodc.ad_dc
diff --git a/source4/auth/session.c b/source4/auth/session.c
index e169a52efda..806f6eab03f 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -707,9 +707,6 @@ NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
struct claims_data *claims_data,
DATA_BLOB *encoded_claims_set_out)
{
- uint8_t *data = NULL;
- size_t len;
-
if (encoded_claims_set_out == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -738,15 +735,16 @@ NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX
*mem_ctx,
claims_data->flags |= CLAIMS_DATA_ENCODED_CLAIMS_PRESENT;
}
- if (claims_data->encoded_claims_set.data != NULL) {
- data = talloc_reference(mem_ctx,
claims_data->encoded_claims_set.data);
- if (data == NULL) {
+ if (claims_data->encoded_claims_set.length != 0) {
+ *encoded_claims_set_out = data_blob_dup_talloc(mem_ctx,
+
claims_data->encoded_claims_set);
+ if (encoded_claims_set_out->length !=
+ claims_data->encoded_claims_set.length)
+ {
return NT_STATUS_NO_MEMORY;
}
}
- len = claims_data->encoded_claims_set.length;
- *encoded_claims_set_out = data_blob_const(data, len);
return NT_STATUS_OK;
}
diff --git a/source4/dsdb/common/util_trusts.c
b/source4/dsdb/common/util_trusts.c
index a184ba6b934..34ad72f85f1 100644
--- a/source4/dsdb/common/util_trusts.c
+++ b/source4/dsdb/common/util_trusts.c
@@ -36,6 +36,7 @@
#include "../lib/util/dlinklist.h"
#include "lib/crypto/md4.h"
#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/claims_transformation.h"
#undef strcasecmp
@@ -3246,3 +3247,112 @@ const struct lsa_TrustDomainInfoInfoEx
*dsdb_trust_domain_by_name(
return NULL;
}
+
+NTSTATUS dsdb_trust_get_claims_tf_policy(struct ldb_context *samldb,
+ const struct ldb_message *tdo_msg,
+ const char *tdo_attr,
+ TALLOC_CTX *mem_ctx,
+ struct claims_tf_rule_set **_rule_set)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const struct ldb_val *tdo_link_val = NULL;
+ struct ldb_dn *config_dn = NULL;
+ struct ldb_dn *claims_tf_dn = NULL;
+ struct ldb_dn *policy_dn = NULL;
+ struct ldb_message *policy_msg = NULL;
+ static const char * const policy_attrs[] = {
+ "msDS-TransformationRules",
+ NULL
+ };
+ const struct ldb_val *xml_blob = NULL;
+ DATA_BLOB rules_blob = { .length = 0, };
+ struct claims_tf_rule_set *rule_set = NULL;
+ int cmp;
+ bool ok;
+ int ret;
+
+ *_rule_set = NULL;
+
+ tdo_link_val = ldb_msg_find_ldb_val(tdo_msg, tdo_attr);
+ if (tdo_link_val == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_NO_ATTRIBUTE_OR_VALUE;
+ }
+
+ config_dn = ldb_get_config_basedn(samldb);
+ if (config_dn == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_INIT_FAILURE;
+ }
+
+ claims_tf_dn = ldb_dn_copy(frame, config_dn);
+ if (claims_tf_dn == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = ldb_dn_add_child_fmt(claims_tf_dn,
+ "%s,%s,%s",
+ "CN=Claims Transformation Policies",
+ "CN=Claims Configuration",
+ "CN=Services");
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ policy_dn = ldb_msg_find_attr_as_dn(samldb, frame, tdo_msg, tdo_attr);
+ if (policy_dn == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * The policy dn needs to be a child of
+ * the CN=Claims Transformation Policies container
+ */
+ cmp = ldb_dn_compare_base(claims_tf_dn, policy_dn);
+ if (cmp != 0) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_OBJ_CLASS_VIOLATION;
+ }
+
+ ret = dsdb_search_one(samldb,
+ frame,
+ &policy_msg,
+ policy_dn,
+ LDB_SCOPE_BASE,
+ policy_attrs,
+ DSDB_SEARCH_ONE_ONLY,
+
"(objectClass=msDS-ClaimsTransformationPolicyType)");
+ if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_POLICY_OBJECT_NOT_FOUND;
+ }
+
+ xml_blob = ldb_msg_find_ldb_val(policy_msg, "msDS-TransformationRules");
+ if (xml_blob == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_NO_ATTRIBUTE_OR_VALUE;
+ }
+
+ ok = claims_tf_policy_unwrap_xml(xml_blob,
+ &rules_blob);
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_INVALID_ATTRIBUTE_SYNTAX;
+ }
+
+ ok = claims_tf_rule_set_parse_blob(&rules_blob,
+ frame,
+ &rule_set,
+ NULL); /* _error_string */
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_DS_INVALID_ATTRIBUTE_SYNTAX;
+ }
+
+ *_rule_set = talloc_move(mem_ctx, &rule_set);
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index ec07cae6ad3..dac80adc6b5 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -35,6 +35,7 @@ struct gmsa_update_pwd_part;
struct gmsa_update;
struct gmsa_return_pwd;
struct KeyEnvelope;
+struct claims_tf_rule_set;
enum dsdb_password_checked {
DSDB_PASSWORD_NOT_CHECKED = 0, /* unused */
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 71bb83e7398..1f8574e9ef5 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -68,7 +68,7 @@ enum trust_direction {
OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
};
-static const char *trust_attrs[] = {
+static const char * const trust_attrs[] = {
"securityIdentifier",
"flatName",
"trustPartner",
@@ -80,6 +80,8 @@ static const char *trust_attrs[] = {
"trustAuthOutgoing",
"whenCreated",
"msDS-SupportedEncryptionTypes",
+ "msDS-IngressClaimsTransformationPolicy",
+ "msDS-EgressClaimsTransformationPolicy",
NULL
};
@@ -4072,179 +4074,6 @@ bad_option:
return KRB5KDC_ERR_BADOPTION;
}
-/*
- * This method is called for S4U2Proxy requests and implements the
- * resource-based constrained delegation variant, which can support
- * cross-realm delegation.
- */
-krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
- krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- krb5_const_principal client_principal,
- krb5_const_principal server_principal,
- const struct auth_user_info_dc *user_info_dc,
- const struct auth_user_info_dc *device_info_dc,
- const struct auth_claims auth_claims,
- struct samba_kdc_entry *proxy_skdc_entry)
-{
- krb5_error_code code;
- enum ndr_err_code ndr_err;
- char *client_name = NULL;
- char *server_name = NULL;
- const char *proxy_dn = NULL;
- const DATA_BLOB *data = NULL;
- struct security_descriptor *rbcd_security_descriptor = NULL;
- struct security_token *security_token = NULL;
- uint32_t session_info_flags =
- AUTH_SESSION_INFO_DEFAULT_GROUPS |
- AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS |
- AUTH_SESSION_INFO_SIMPLE_PRIVILEGES |
- AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
- /*
- * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
- * in security descriptors it creates for RBCD, its KDC only requires
- * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
- */
- uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
- uint32_t access_granted = 0;
- NTSTATUS nt_status;
- TALLOC_CTX *mem_ctx = NULL;
-
- mem_ctx = talloc_named(kdc_db_ctx,
- 0,
- "samba_kdc_check_s4u2proxy_rbcd");
- if (mem_ctx == NULL) {
- errno = ENOMEM;
- code = errno;
-
- return code;
- }
-
- proxy_dn = ldb_dn_get_linearized(proxy_skdc_entry->msg->dn);
- if (proxy_dn == NULL) {
- DBG_ERR("ldb_dn_get_linearized failed for proxy_dn!\n");
- if (errno == 0) {
- errno = ENOMEM;
- }
- code = errno;
-
- goto out;
- }
-
- rbcd_security_descriptor = talloc_zero(mem_ctx,
- struct security_descriptor);
- if (rbcd_security_descriptor == NULL) {
- errno = ENOMEM;
- code = errno;
-
- goto out;
- }
-
- code = krb5_unparse_name_flags(context,
- client_principal,
- KRB5_PRINCIPAL_UNPARSE_DISPLAY,
- &client_name);
- if (code != 0) {
- DBG_ERR("Unable to parse client_principal!\n");
- goto out;
- }
-
- code = krb5_unparse_name_flags(context,
- server_principal,
- KRB5_PRINCIPAL_UNPARSE_DISPLAY,
- &server_name);
- if (code != 0) {
- DBG_ERR("Unable to parse server_principal!\n");
- goto out;
- }
-
- DBG_INFO("Check delegation from client[%s] to server[%s] via "
- "proxy[%s]\n",
- client_name,
- server_name,
- proxy_dn);
-
- if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
- session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
- }
-
- if (device_info_dc != NULL && !(device_info_dc->info->user_flags &
NETLOGON_GUEST)) {
- session_info_flags |= AUTH_SESSION_INFO_DEVICE_AUTHENTICATED;
- }
-
- nt_status = auth_generate_security_token(mem_ctx,
- kdc_db_ctx->lp_ctx,
- kdc_db_ctx->samdb,
- user_info_dc,
- device_info_dc,
- auth_claims,
- session_info_flags,
- &security_token);
- if (!NT_STATUS_IS_OK(nt_status)) {
- code = map_errno_from_nt_status(nt_status);
- goto out;
- }
-
- data = ldb_msg_find_ldb_val(proxy_skdc_entry->msg,
- "msDS-AllowedToActOnBehalfOfOtherIdentity");
- if (data == NULL) {
- DBG_WARNING("Could not find security descriptor "
- "msDS-AllowedToActOnBehalfOfOtherIdentity in "
- "proxy[%s]\n",
- proxy_dn);
- code = KRB5KDC_ERR_BADOPTION;
- goto out;
- }
-
- ndr_err = ndr_pull_struct_blob(
- data,
- mem_ctx,
- rbcd_security_descriptor,
- (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- errno = ndr_map_error2errno(ndr_err);
- DBG_ERR("Failed to unmarshall "
- "msDS-AllowedToActOnBehalfOfOtherIdentity "
- "security descriptor of proxy[%s]\n",
- proxy_dn);
- code = KRB5KDC_ERR_BADOPTION;
- goto out;
- }
-
- if (DEBUGLEVEL >= 10) {
- NDR_PRINT_DEBUG(security_token, security_token);
- NDR_PRINT_DEBUG(security_descriptor, rbcd_security_descriptor);
- }
-
- nt_status = sec_access_check_ds(rbcd_security_descriptor,
- security_token,
- access_desired,
- &access_granted,
- NULL,
- NULL);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DBG_WARNING("RBCD: sec_access_check_ds(access_desired=%#08x, "
- "access_granted:%#08x) failed with: %s\n",
- access_desired,
- access_granted,
- nt_errstr(nt_status));
-
- code = KRB5KDC_ERR_BADOPTION;
- goto out;
- }
-
- DBG_NOTICE("RBCD: Access granted for client[%s]\n", client_name);
-
- code = 0;
-out:
- SAFE_FREE(client_name);
- SAFE_FREE(server_name);
-
- TALLOC_FREE(mem_ctx);
- return code;
-}
-
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct
samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out)
{
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index f06cca4b42b..297916ed823 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -93,16 +93,6 @@ samba_kdc_check_s4u2proxy(krb5_context context,
struct samba_kdc_entry *skdc_entry,
krb5_const_principal target_principal);
-krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
- krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- krb5_const_principal client_principal,
- krb5_const_principal server_principal,
- const struct auth_user_info_dc *user_info_dc,
- const struct auth_user_info_dc *device_info_dc,
- const struct auth_claims auth_claims,
- struct samba_kdc_entry *proxy_skdc_entry);
-
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct
samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out);
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index eb8cd9686cd..f09333308c7 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -332,10 +332,8 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
struct samba_kdc_entry *client_skdc_entry = NULL;
const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
struct samba_kdc_entry *proxy_skdc_entry = NULL;
- const struct auth_user_info_dc *client_info = NULL;
- const struct auth_user_info_dc *device_info = NULL;
struct samba_kdc_entry_pac client_pac_entry = {};
- struct auth_claims auth_claims = {};
+ struct samba_kdc_entry_pac device_pac_entry = {};
TALLOC_CTX *mem_ctx = NULL;
krb5_error_code code;
@@ -357,29 +355,9 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
client_skdc_entry,
client_krbtgt_skdc_entry);
- code = samba_kdc_get_user_info_dc(mem_ctx,
- context,
- kdc_db_ctx,
- client_pac_entry,
- &client_info,
- NULL /* resource_groups_out */);
- if (code != 0) {
- goto out;
- }
-
- code = samba_kdc_get_claims_data(mem_ctx,
- context,
- kdc_db_ctx,
- client_pac_entry,
- &auth_claims.user_claims);
- if (code) {
- goto out;
- }
-
if (device != NULL) {
struct samba_kdc_entry *device_skdc_entry = NULL;
const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
- struct samba_kdc_entry_pac device_pac_entry = {};
device_skdc_entry = talloc_get_type_abort(device->context,
struct
samba_kdc_entry);
@@ -392,36 +370,16 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
device_pac_entry = samba_kdc_entry_pac(device_pac,
device_skdc_entry,
device_krbtgt_skdc_entry);
-
- code = samba_kdc_get_user_info_dc(mem_ctx,
- context,
- kdc_db_ctx,
- device_pac_entry,
- &device_info,
- NULL /* resource_groups_out
*/);
- if (code) {
- goto out;
- }
-
- code = samba_kdc_get_claims_data(mem_ctx,
- context,
- kdc_db_ctx,
- device_pac_entry,
- &auth_claims.device_claims);
- if (code) {
- goto out;
- }
}
code = samba_kdc_check_s4u2proxy_rbcd(context,
kdc_db_ctx,
client->principal,
server_principal,
--
Samba Shared Repository
