diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-01-11 18:06:55 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-01-12 18:02:54 +1100 |
commit | 49f8113fabd2603b45439404c91d350b4d6eaeac (patch) | |
tree | ace3a19fcb94bb5ab6396f1be30fb2af7bec8817 /source4/kdc/pac-glue.h | |
parent | d0bb8b8a15c76c739062e7a78c013b54729dc5ab (diff) | |
download | samba-49f8113fabd2603b45439404c91d350b4d6eaeac.tar.gz samba-49f8113fabd2603b45439404c91d350b4d6eaeac.tar.bz2 samba-49f8113fabd2603b45439404c91d350b4d6eaeac.zip |
s4-kdc Do the KDC PAC checksum validation in the Samba plugin
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know. We cannot check the KDC signature on incoming trusts.
Andrew Bartlett
Diffstat (limited to 'source4/kdc/pac-glue.h')
-rw-r--r-- | source4/kdc/pac-glue.h | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 66c20cdc1e..0e1cdcd2f2 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -28,7 +28,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, bool samba_princ_needs_pac(struct hdb_entry_ex *princ); -bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ); +int samba_krbtgt_is_in_db(struct hdb_entry_ex *princ, bool *is_in_db, bool *is_untrusted); NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, struct hdb_entry_ex *client, @@ -36,7 +36,9 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx, krb5_context context, - const krb5_pac pac, DATA_BLOB *pac_blob); + const krb5_pac pac, DATA_BLOB *pac_blob, + struct PAC_SIGNATURE_DATA *pac_srv_sig, + struct PAC_SIGNATURE_DATA *pac_kdc_sig); NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx, krb5_context context, @@ -53,3 +55,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry, const char *client_name, const char *workstation, bool password_change); +int kdc_check_pac(krb5_context krb5_context, + DATA_BLOB server_sig, + struct PAC_SIGNATURE_DATA *kdc_sig, + hdb_entry_ex *ent); |