s4:kdc: hook into heimdal's windc.pac_pk_generate hook

This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 16 insertions, 2 deletions

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 4e7ea4b0907..6fd55df152d 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -25,9 +25,15 @@
 #include "kdc/kdc-glue.h"
 #include "kdc/pac-glue.h"
 
-/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
+/*
+ * Given the right private pointer from hdb_samba4,
+ * get a PAC from the attached ldb messages.
+ *
+ * For PKINIT we also get pk_reply_key and can add PAC_CREDENTIAL_INFO.
+ */
 static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 					 struct hdb_entry_ex *client,
+					 const krb5_keyblock *pk_reply_key,
 					 krb5_pac *pac)
 {
 	TALLOC_CTX *mem_ctx;
@@ -55,6 +61,13 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 	return ret;
 }
 
+static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context,
+						struct hdb_entry_ex *client,
+						krb5_pac *pac)
+{
+	return samba_wdc_get_pac(priv, context, client, NULL, pac);
+}
+
 /* Resign (and reform, including possibly new groups) a PAC */
 
 static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
@@ -326,9 +339,10 @@ struct krb5plugin_windc_ftable windc_plugin_table = {
 	.minor_version = KRB5_WINDC_PLUGIN_MINOR,
 	.init = samba_wdc_plugin_init,
 	.fini = samba_wdc_plugin_fini,
-	.pac_generate = samba_wdc_get_pac,
+	.pac_generate = samba_wdc_get_pac_compat,
 	.pac_verify = samba_wdc_reget_pac,
 	.client_access = samba_wdc_check_client_access,
+	.pac_pk_generate = samba_wdc_get_pac,
 };