heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service t…

…icket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
httpstorm · Nov 30, 2021 · 9bd2680 · 9bd2680
1 parent ee4aa21
commit 9bd2680
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 19 deletions.
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
@@ -79,15 +79,8 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable
 #
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
@@ -119,11 +112,6 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
@@ -1771,7 +1771,7 @@ _kdc_as_rep(krb5_context context,
 
 	sent_pac_request = send_pac_p(context, req, &pac_request);
 
-	ret = _kdc_pac_generate(context, client, pk_reply_key,
+	ret = _kdc_pac_generate(context, client, server, pk_reply_key,
 				sent_pac_request ? &pac_request : NULL,
 				&p);
 	if (ret) {

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
@@ -1848,7 +1848,8 @@ tgs_build_reply(krb5_context context,
 		mspac = NULL;
 	    }
 
-	    ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac);
+	    ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server,
+				    NULL, NULL, &mspac);
 	    if (ret) {
 		kdc_log(context, config, 0, "PAC generation failed for -- %s",
 			tpn);

diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
@@ -73,6 +73,7 @@ krb5_kdc_windc_init(krb5_context context)
 krb5_error_code
 _kdc_pac_generate(krb5_context context,
 		  hdb_entry_ex *client,
+		  hdb_entry_ex *server,
 		  const krb5_keyblock *pk_reply_key,
 		  const krb5_boolean *pac_request,
 		  krb5_pac *pac)
@@ -88,9 +89,9 @@ _kdc_pac_generate(krb5_context context,
 
     if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL)
 	return (windcft->pac_pk_generate)(windcctx, context,
-					  client, pk_reply_key,
+					  client, server, pk_reply_key,
 					  pac_request, pac);
-    return (windcft->pac_generate)(windcctx, context, client,
+    return (windcft->pac_generate)(windcctx, context, client, server,
 				   pac_request, pac);
 }
 

diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
@@ -55,12 +55,14 @@ struct hdb_entry_ex;
 typedef krb5_error_code
 (*krb5plugin_windc_pac_generate)(void *, krb5_context,
 				 struct hdb_entry_ex *, /* client */
+				 struct hdb_entry_ex *, /* server */
 				 const krb5_boolean *, /* pac_request */
 				 krb5_pac *);
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
 				    struct hdb_entry_ex *, /* client */
+				    struct hdb_entry_ex *, /* server */
 				    const krb5_keyblock *, /* pk_replykey */
 				    const krb5_boolean *, /* pac_request */
 				    krb5_pac *);

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
@@ -37,6 +37,7 @@
  */
 static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 					 struct hdb_entry_ex *client,
+					 struct hdb_entry_ex *server,
 					 const krb5_keyblock *pk_reply_key,
 					 const krb5_boolean *pac_request,
 					 krb5_pac *pac)
@@ -55,6 +56,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 	struct samba_kdc_entry *skdc_entry =
 		talloc_get_type_abort(client->ctx,
 		struct samba_kdc_entry);
+	bool is_krbtgt;
 
 	mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context");
 	if (!mem_ctx) {
@@ -65,13 +67,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 		cred_ndr_ptr = &cred_ndr;
 	}
 
+	is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal);
+
 	nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry,
 					    &logon_blob,
 					    cred_ndr_ptr,
 					    &upn_blob,
-					    &pac_attrs_blob,
+					    is_krbtgt ? &pac_attrs_blob : NULL,
 					    pac_request,
-					    &requester_sid_blob,
+					    is_krbtgt ? &requester_sid_blob : NULL,
 					    NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
@@ -101,10 +105,11 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 
 static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context,
 						struct hdb_entry_ex *client,
+						struct hdb_entry_ex *server,
 						const krb5_boolean *pac_request,
 						krb5_pac *pac)
 {
-	return samba_wdc_get_pac(priv, context, client, NULL, pac_request, pac);
+	return samba_wdc_get_pac(priv, context, client, server, NULL, pac_request, pac);
 }
 
 static krb5_error_code samba_wdc_reget_pac2(krb5_context context,