From b0da50b5b0d4817184202c63ddeb71e1c20b631e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 30 Oct 2023 15:12:34 +1300
Subject: [PATCH] =?utf8?q?s4:kdc:=20Add=20the=20Asserted=20Identity=20SID?=
 =?utf8?q?=20to=20the=20PAC=20only=20if=20the=20original=20RODC=E2=80=90is?=
 =?utf8?q?sued=20PAC=20contained=20it?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail_heimdal_kdc |  9 -----
 source4/kdc/pac-glue.c         | 79 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 72 insertions(+), 16 deletions(-)

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index b5161fd915a..01fcb132458 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -125,16 +125,7 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_compound_authentication_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 0e1be2629eb..17c01928f9d 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1161,6 +1161,60 @@ krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
 	return 0;
 }
 
+/*
+ * Check whether a PAC contains the Authentication Authority Asserted Identity
+ * SID.
+ */
+static krb5_error_code samba_kdc_pac_contains_asserted_identity(
+	krb5_context context,
+	const struct samba_kdc_entry_pac entry,
+	bool *contains_out)
+{
+	TALLOC_CTX *frame = NULL;
+	struct auth_user_info_dc *info = NULL;
+	krb5_error_code ret = 0;
+
+	if (contains_out == NULL) {
+		ret = EINVAL;
+		goto out;
+	}
+	*contains_out = false;
+
+	frame = talloc_stackframe();
+
+	/*
+	 * Extract our info from the PAC. This does a bit of unnecessary work,
+	 * setting up fields we don’t care about — we only want the SIDs.
+	 */
+	ret = kerberos_pac_to_user_info_dc(frame,
+					   entry.pac,
+					   context,
+					   &info,
+					   AUTH_EXCLUDE_RESOURCE_GROUPS,
+					   NULL /* pac_srv_sig */,
+					   NULL /* pac_kdc_sig */,
+					   /* Ignore the resource groups. */
+					   NULL /* resource_groups */);
+	if (ret) {
+		const char *krb5err = krb5_get_error_message(context, ret);
+		DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
+			krb5err != NULL ? krb5err : "?");
+		krb5_free_error_message(context, krb5err);
+
+		goto out;
+	}
+
+	/* Determine whether the PAC contains the Asserted Identity SID. */
+	*contains_out = sid_attrs_contains_sid(
+		info->sids,
+		info->num_sids,
+		&global_sid_Asserted_Identity_Authentication_Authority);
+
+out:
+	talloc_free(frame);
+	return ret;
+}
+
 static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
 							krb5_context context,
 							struct ldb_context *samdb,
@@ -1266,6 +1320,7 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 {
 	const struct auth_user_info_dc *info = NULL;
 	struct auth_user_info_dc *info_shallow_copy = NULL;
+	bool pac_contains_asserted_identity = false;
 	krb5_error_code ret = 0;
 	NTSTATUS nt_status;
 
@@ -1323,13 +1378,23 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 		return map_errno_from_nt_status(nt_status);
 	}
 
-	nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-						    info_shallow_copy);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DBG_ERR("Failed to add asserted identity: %s\n",
-			nt_errstr(nt_status));
-		TALLOC_FREE(info_shallow_copy);
-		return KRB5KDC_ERR_TGT_REVOKED;
+	/* Determine whether the PAC contains the Asserted Identity SID. */
+	ret = samba_kdc_pac_contains_asserted_identity(
+		context, entry, &pac_contains_asserted_identity);
+	if (ret) {
+		return ret;
+	}
+
+	if (pac_contains_asserted_identity) {
+		nt_status = samba_kdc_add_asserted_identity(
+			SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+			info_shallow_copy);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DBG_ERR("Failed to add asserted identity: %s\n",
+				nt_errstr(nt_status));
+			TALLOC_FREE(info_shallow_copy);
+			return KRB5KDC_ERR_TGT_REVOKED;
+		}
 	}
 
 	nt_status = samba_kdc_add_claims_valid(info_shallow_copy);
-- 
2.11.4.GIT