git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d209cdf)
s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 17 Oct 2023 07:24:04 +0000 (20:24 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 19 Oct 2023 22:39:19 +0000 (22:39 +0000)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224

selftest/knownfail_heimdal_kdc patch | blob | history
source4/kdc/wdc-samba4.c patch | blob | history

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 9c86662ea0451aa939bbfb33301acb9faff6f456..986c2e9cc24f37ebe534bc6ac676d09927faf9df 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -125,8 +125,6 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 1daf6d63f518f28129f4a3ad7d3b170636cec80b..dc2fffad2e435af7eeef6707e8084d544e95a1fe 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -642,14 +642,6 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
                        if (pac_kdc_signature_rodc_id != header_ticket_rodc_id) {
                                struct sdb_entry signing_krbtgt_sdb;
 
-                               /*
-                                * If we didn't sign the ticket, then return an
-                                * error.
-                                */
-                               if (pac_kdc_signature_rodc_id != 0) {
-                                       return KRB5KRB_AP_ERR_MODIFIED;
-                               }
-
                                /*
                                 * Fetch our key from the database. To support
                                 * key rollover, we're going to need to try
@@ -659,8 +651,8 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
                                ret = samba_kdc_fetch(context,
                                                      krbtgt_skdc_entry->kdc_db_ctx,
                                                      krbtgt->principal,
-                                                     SDB_F_GET_KRBTGT | SDB_F_CANON,
-                                                     0,
+                                                     SDB_F_GET_KRBTGT | SDB_F_RODC_NUMBER_SPECIFIED | SDB_F_CANON,
+                                                     ((uint32_t)pac_kdc_signature_rodc_id) << 16,
                                                      &signing_krbtgt_sdb);
                                if (ret != 0) {
                                        return ret;
Samba Shared Repository