From 9bd26804852d957f81cb311e5142f9190f9afa65 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 23 Nov 2021 19:38:35 +1300 Subject: [PATCH] heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- selftest/knownfail_heimdal_kdc | 12 ------------ source4/heimdal/kdc/kerberos5.c | 2 +- source4/heimdal/kdc/krb5tgs.c | 3 ++- source4/heimdal/kdc/windc.c | 5 +++-- source4/heimdal/kdc/windc_plugin.h | 2 ++ source4/kdc/wdc-samba4.c | 11 ++++++++--- 6 files changed, 16 insertions(+), 19 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 4d7d6a67b92..ace0550fd15 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -79,15 +79,8 @@ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed -^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required @@ -119,11 +112,6 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index b8fec62333d..9127478d57b 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1771,7 +1771,7 @@ _kdc_as_rep(krb5_context context, sent_pac_request = send_pac_p(context, req, &pac_request); - ret = _kdc_pac_generate(context, client, pk_reply_key, + ret = _kdc_pac_generate(context, client, server, pk_reply_key, sent_pac_request ? &pac_request : NULL, &p); if (ret) { diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index dc356b4daa5..38dba8493ae 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1848,7 +1848,8 @@ server_lookup: mspac = NULL; } - ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); + ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server, + NULL, NULL, &mspac); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", tpn); diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index 93b973f576b..0a5ae5025ec 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -73,6 +73,7 @@ krb5_kdc_windc_init(krb5_context context) krb5_error_code _kdc_pac_generate(krb5_context context, hdb_entry_ex *client, + hdb_entry_ex *server, const krb5_keyblock *pk_reply_key, const krb5_boolean *pac_request, krb5_pac *pac) @@ -88,9 +89,9 @@ _kdc_pac_generate(krb5_context context, if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL) return (windcft->pac_pk_generate)(windcctx, context, - client, pk_reply_key, + client, server, pk_reply_key, pac_request, pac); - return (windcft->pac_generate)(windcctx, context, client, + return (windcft->pac_generate)(windcctx, context, client, server, pac_request, pac); } diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index c7f2bcb5ed9..d239d0260e7 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -55,12 +55,14 @@ struct hdb_entry_ex; typedef krb5_error_code (*krb5plugin_windc_pac_generate)(void *, krb5_context, struct hdb_entry_ex *, /* client */ + struct hdb_entry_ex *, /* server */ const krb5_boolean *, /* pac_request */ krb5_pac *); typedef krb5_error_code (*krb5plugin_windc_pac_pk_generate)(void *, krb5_context, struct hdb_entry_ex *, /* client */ + struct hdb_entry_ex *, /* server */ const krb5_keyblock *, /* pk_replykey */ const krb5_boolean *, /* pac_request */ krb5_pac *); diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 713720bcb99..b1d011c09a9 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -37,6 +37,7 @@ */ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, struct hdb_entry_ex *client, + struct hdb_entry_ex *server, const krb5_keyblock *pk_reply_key, const krb5_boolean *pac_request, krb5_pac *pac) @@ -55,6 +56,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, struct samba_kdc_entry *skdc_entry = talloc_get_type_abort(client->ctx, struct samba_kdc_entry); + bool is_krbtgt; mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context"); if (!mem_ctx) { @@ -65,13 +67,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, cred_ndr_ptr = &cred_ndr; } + is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal); + nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry, &logon_blob, cred_ndr_ptr, &upn_blob, - &pac_attrs_blob, + is_krbtgt ? &pac_attrs_blob : NULL, pac_request, - &requester_sid_blob, + is_krbtgt ? &requester_sid_blob : NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); @@ -101,10 +105,11 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context, struct hdb_entry_ex *client, + struct hdb_entry_ex *server, const krb5_boolean *pac_request, krb5_pac *pac) { - return samba_wdc_get_pac(priv, context, client, NULL, pac_request, pac); + return samba_wdc_get_pac(priv, context, client, server, NULL, pac_request, pac); } static krb5_error_code samba_wdc_reget_pac2(krb5_context context, -- 2.11.4.GIT