From: Jo Sutton <josutton@catalyst.net.nz>
Date: Sun, 12 May 2024 22:58:51 +0000 (+1200)
Subject: s4:kdc: Implement KDC plugin hardware authentication policy
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=master

s4:kdc: Implement KDC plugin hardware authentication policy

NOTE: This commit finally works again!

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
---

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 226c7b302f5..2d7e6173a51 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -932,8 +932,27 @@ static krb5_error_code samba_wdc_referral_policy(void *priv,
 	return kdc_request_get_error_code((kdc_request_t)r);
 }
 
+static krb5_error_code samba_wdc_hwauth_policy(void *priv, astgs_request_t r)
+{
+	const hdb_entry *client = kdc_request_get_client(r);
+	krb5_error_code ret = 0;
+
+	if (client != NULL && client->flags.require_hwauth) {
+		krb5_error_code ret2;
+
+		ret = KRB5KDC_ERR_POLICY;
+		ret2 = hdb_samba4_set_ntstatus(
+			r, NT_STATUS_SMARTCARD_LOGON_REQUIRED, ret);
+		if (ret2) {
+			ret = ret2;
+		}
+	}
+
+	return ret;
+}
+
 struct krb5plugin_kdc_ftable kdc_plugin_table = {
-	.minor_version = KRB5_PLUGIN_KDC_VERSION_11,
+	.minor_version = KRB5_PLUGIN_KDC_VERSION_12,
 	.init = samba_wdc_plugin_init,
 	.fini = samba_wdc_plugin_fini,
 	.pac_verify = samba_wdc_verify_pac,
@@ -942,4 +961,5 @@ struct krb5plugin_kdc_ftable kdc_plugin_table = {
 	.finalize_reply = samba_wdc_finalize_reply,
 	.pac_generate = samba_wdc_get_pac,
 	.referral_policy = samba_wdc_referral_policy,
+	.hwauth_policy = samba_wdc_hwauth_policy,
 };