diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-03-17 11:57:09 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-03-22 18:40:31 +0000 |
| commit | c62937822d8d814a70d32efab93be721791c57f0 (patch) | |
| tree | b2eb2e5ad45da3730fc365827da6097e52c5667d | |
| parent | 3e97ea3f35e3d147b491bb2da959b0f8a6207835 (diff) | |
| download | samba-c62937822d8d814a70d32efab93be721791c57f0.tar.gz | |
s4:kdc: Don't check PAC-OPTIONS claims-supported bit
Windows only consults the PAC-OPTIONS claims bit to find out whether or
not to add claims to the PAC if the ClaimsCompIdFASTSupport option is
set to 1. If this option is set to 2 or 3, the bit is ignored and claims
are always added.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | source4/kdc/wdc-samba4.c | 47 |
1 files changed, 1 insertions, 46 deletions
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index eb88e52f0fb..53fa6456a9d 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -34,38 +34,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_KERBEROS -static int samba_wdc_pac_options(astgs_request_t r, PAC_OPTIONS_FLAGS *flags) -{ - const KDC_REQ *req = kdc_request_get_req(r); - const PA_DATA *padata_pac_options = NULL; - - ZERO_STRUCTP(flags); - - if (req->padata != NULL) { - int idx = 0; - - padata_pac_options = krb5_find_padata(req->padata->val, - req->padata->len, - KRB5_PADATA_PAC_OPTIONS, - &idx); - } - - if (padata_pac_options != NULL) { - PA_PAC_OPTIONS pa_pac_options = {}; - int ret; - - ret = decode_PA_PAC_OPTIONS(padata_pac_options->padata_value.data, - padata_pac_options->padata_value.length, - &pa_pac_options, NULL); - if (ret) { - return ret; - } - *flags = pa_pac_options.flags; - } - - return 0; -} - static bool samba_wdc_is_s4u2self_req(astgs_request_t r) { krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); @@ -154,7 +122,6 @@ static krb5_error_code samba_wdc_get_pac(void *priv, (is_s4u2self) ? SAMBA_ASSERTED_IDENTITY_SERVICE : SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY; - PAC_OPTIONS_FLAGS pac_options = {}; /* Only include resource groups in a service ticket. */ if (is_krbtgt) { @@ -165,11 +132,6 @@ static krb5_error_code samba_wdc_get_pac(void *priv, group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED; } - ret = samba_wdc_pac_options(r, &pac_options); - if (ret != 0) { - return ret; - } - mem_ctx = talloc_named(client->context, 0, "samba_get_pac context"); if (!mem_ctx) { return ENOMEM; @@ -188,8 +150,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, is_krbtgt ? &pac_attrs_blob : NULL, pac_attributes, is_krbtgt ? &requester_sid_blob : NULL, - pac_options.claims ? - &claims_blob : NULL); + &claims_blob); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return EINVAL; @@ -248,12 +209,6 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r, bool is_in_db = false; bool is_trusted = false; uint32_t flags = 0; - PAC_OPTIONS_FLAGS pac_options = {}; - - ret = samba_wdc_pac_options(r, &pac_options); - if (ret != 0) { - return ret; - } mem_ctx = talloc_named(NULL, 0, "samba_wdc_reget_pac2 context"); if (mem_ctx == NULL) { |