s4:kdc: Use ‘claims_data’ functions to create client claims blob

author Joseph Sutton <josephsutton@catalyst.net.nz>

Mon, 9 Oct 2023 06:32:24 +0000 (19:32 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Mon, 9 Oct 2023 06:32:24 +0000 (19:32 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c

index 9d49ffc655d97f3338dc3c6359e86abf9e794969..6537c5175d3f8d341730982eace35508c504ed8e 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -84,7 +84,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
         DATA_BLOB *upn_blob = NULL;
         DATA_BLOB *pac_attrs_blob = NULL;
         DATA_BLOB *requester_sid_blob = NULL;
-       const DATA_BLOB *client_claims_blob = NULL;
+       DATA_BLOB client_claims_blob = {};
         krb5_error_code ret;
         NTSTATUS nt_status;
         struct samba_kdc_entry *skdc_entry =
@@ -105,6 +105,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
  
         const struct auth_user_info_dc *user_info_dc_const = NULL;
         struct auth_user_info_dc *user_info_dc_shallow_copy = NULL;
+       struct claims_data *client_claims = NULL;
  
         /* Only include resource groups in a service ticket. */
         if (is_krbtgt) {
@@ -164,6 +165,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
                 return map_errno_from_nt_status(nt_status);
         }
  
+       ret = samba_kdc_get_claims_data_from_db(server_entry->kdc_db_ctx->samdb,
+                                               skdc_entry,
+                                               &client_claims);
+       if (ret) {
+               talloc_free(mem_ctx);
+               return ret;
+       }
+
+       nt_status = claims_data_encoded_claims_set(mem_ctx,
+                                                  client_claims,
+                                                  &client_claims_blob);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(mem_ctx);
+               return map_errno_from_nt_status(nt_status);
+       }
+
         /*
          * For an S4U2Self request, the authentication policy is not enforced.
          */
@@ -245,14 +262,6 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
                 }
         }
  
-       nt_status = samba_kdc_get_claims_blob(mem_ctx,
-                                             skdc_entry,
-                                             &client_claims_blob);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               talloc_free(mem_ctx);
-               return map_errno_from_nt_status(nt_status);
-       }
-
         if (pk_reply_key != NULL && cred_ndr != NULL) {
                 ret = samba_kdc_encrypt_pac_credentials(context,
                                                         pk_reply_key,
@@ -275,7 +284,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
         ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
                                   upn_blob, pac_attrs_blob,
                                   requester_sid_blob, NULL,
-                                 client_claims_blob, NULL, NULL,
+                                 &client_claims_blob, NULL, NULL,
                                   *pac);
  
         talloc_free(mem_ctx);
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 9 Oct 2023 06:32:24 +0000 (19:32 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)