static int mit_samba_update_pac_data(struct mit_samba_context *ctx, hdb_entry_ex *client, DATA_BLOB *pac_data, DATA_BLOB *logon_data) { TALLOC_CTX *tmp_ctx; DATA_BLOB *logon_blob; krb5_error_code code; NTSTATUS nt_status; krb5_pac pac = NULL; int ret; /* The user account may be set not to want the PAC */ if (client && !samba_princ_needs_pac(client)) { return EINVAL; } tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context"); if (!tmp_ctx) { return ENOMEM; } logon_blob = talloc_zero(tmp_ctx, DATA_BLOB); if (!logon_blob) { ret = ENOMEM; goto done; } code = krb5_pac_parse(ctx->context, pac_data->data, pac_data->length, &pac); if (code) { ret = EINVAL; goto done; } nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context, &pac, logon_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); ret = EINVAL; goto done; } logon_data->data = (uint8_t *)malloc(logon_blob->length); if (!logon_data->data) { ret = ENOMEM; goto done; } memcpy(logon_data->data, logon_blob->data, logon_blob->length); logon_data->length = logon_blob->length; ret = 0; done: if (pac) krb5_pac_free(ctx->context, pac); talloc_free(tmp_ctx); return ret; }
static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, struct hdb_entry_ex *client, struct hdb_entry_ex *server, krb5_pac *pac) { struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context"); DATA_BLOB *pac_blob; krb5_error_code ret; NTSTATUS nt_status; if (!mem_ctx) { return ENOMEM; } pac_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!pac_blob) { talloc_free(mem_ctx); return ENOMEM; } /* The user account may be set not to want the PAC */ if (!samba_princ_needs_pac(server)) { talloc_free(mem_ctx); return EINVAL; } nt_status = samba_kdc_update_pac_blob(mem_ctx, context, p->kdc_db_ctx->ic_ctx, pac, pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); talloc_free(mem_ctx); return EINVAL; } /* We now completly regenerate this pac */ krb5_pac_free(context, *pac); ret = samba_make_krb5_pac(context, pac_blob, pac); talloc_free(mem_ctx); return ret; }
static int mit_samba_update_pac_data(struct mit_samba_context *ctx, hdb_entry_ex *client, DATA_BLOB *pac_data, DATA_BLOB *logon_data) { TALLOC_CTX *tmp_ctx; DATA_BLOB *logon_blob; krb5_error_code code; NTSTATUS nt_status; krb5_pac pac = NULL; int ret; struct samba_kdc_entry *skdc_entry = NULL; if (client) { skdc_entry = talloc_get_type_abort(client->ctx, struct samba_kdc_entry); } /* The user account may be set not to want the PAC */ if (client && !samba_princ_needs_pac(skdc_entry)) { return EINVAL; } tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context"); if (!tmp_ctx) { return ENOMEM; } logon_blob = talloc_zero(tmp_ctx, DATA_BLOB); if (!logon_blob) { ret = ENOMEM; goto done; } code = krb5_pac_parse(ctx->context, pac_data->data, pac_data->length, &pac); if (code) { ret = EINVAL; goto done; } /* TODO: An implementation-specific decision will need to be * made as to when to check the KDC pac signature, and how to * untrust untrusted RODCs */ nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context, pac, logon_blob, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); ret = EINVAL; goto done; } logon_data->data = (uint8_t *)malloc(logon_blob->length); if (!logon_data->data) { ret = ENOMEM; goto done; } memcpy(logon_data->data, logon_blob->data, logon_blob->length); logon_data->length = logon_blob->length; ret = 0; done: if (pac) krb5_pac_free(ctx->context, pac); talloc_free(tmp_ctx); return ret; }
static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, struct hdb_entry_ex *client, struct hdb_entry_ex *server, struct hdb_entry_ex *krbtgt, krb5_pac *pac) { struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context"); DATA_BLOB *pac_blob; DATA_BLOB *deleg_blob = NULL; krb5_error_code ret; NTSTATUS nt_status; struct PAC_SIGNATURE_DATA *pac_srv_sig; struct PAC_SIGNATURE_DATA *pac_kdc_sig; bool is_in_db, is_untrusted; if (!mem_ctx) { return ENOMEM; } /* The user account may be set not to want the PAC */ if (!samba_princ_needs_pac(server)) { talloc_free(mem_ctx); return EINVAL; } /* If the krbtgt was generated by an RODC, and we are not that * RODC, then we need to regenerate the PAC - we can't trust * it */ ret = samba_krbtgt_is_in_db(krbtgt, &is_in_db, &is_untrusted); if (ret != 0) { talloc_free(mem_ctx); return ret; } if (is_untrusted) { if (client == NULL) { return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return EINVAL; } } else { pac_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!pac_blob) { talloc_free(mem_ctx); return ENOMEM; } pac_srv_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA); if (!pac_srv_sig) { talloc_free(mem_ctx); return ENOMEM; } pac_kdc_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA); if (!pac_kdc_sig) { talloc_free(mem_ctx); return ENOMEM; } nt_status = samba_kdc_update_pac_blob(mem_ctx, context, *pac, pac_blob, pac_srv_sig, pac_kdc_sig); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); talloc_free(mem_ctx); return EINVAL; } if (is_in_db) { /* Now check the KDC signature, fetching the correct key based on the enc type */ ret = kdc_check_pac(context, pac_srv_sig->signature, pac_kdc_sig, krbtgt); if (ret != 0) { DEBUG(1, ("PAC KDC signature failed to verify\n")); talloc_free(mem_ctx); return ret; } } } if (delegated_proxy_principal) { deleg_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!deleg_blob) { talloc_free(mem_ctx); return ENOMEM; } nt_status = samba_kdc_update_delegation_info_blob(mem_ctx, context, *pac, server->entry.principal, delegated_proxy_principal, deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); talloc_free(mem_ctx); return EINVAL; } } /* We now completely regenerate this pac */ krb5_pac_free(context, *pac); ret = samba_make_krb5_pac(context, pac_blob, deleg_blob, pac); talloc_free(mem_ctx); return ret; }