diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-09-28 13:13:28 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-29 04:23:07 +1000 |
| commit | 89ee9e6518f5bd398bb44e0cd47454e2d69f469e (patch) | |
| tree | 97c294dd0fd053b4ec9078fcd84e6bbf83efcaf6 /source4/kdc/wdc-samba4.c | |
| parent | 9d33929d76d0969917c1d42e1097d75af3401008 (diff) | |
| download | samba-89ee9e6518f5bd398bb44e0cd47454e2d69f469e.tar.gz samba-89ee9e6518f5bd398bb44e0cd47454e2d69f469e.tar.bz2 samba-89ee9e6518f5bd398bb44e0cd47454e2d69f469e.zip | |
s4-kdc Handle the case where we may be given a ticket from an RODC in db layer
This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.
Andrew Bartlett
Diffstat (limited to 'source4/kdc/wdc-samba4.c')
| -rw-r--r-- | source4/kdc/wdc-samba4.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 0ebc4e7c2b..8926594698 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -60,7 +60,9 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, struct hdb_entry_ex *client, - struct hdb_entry_ex *server, krb5_pac *pac) + struct hdb_entry_ex *server, + struct hdb_entry_ex *krbtgt, + krb5_pac *pac) { struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context"); @@ -72,27 +74,37 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, return ENOMEM; } - pac_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (!pac_blob) { - talloc_free(mem_ctx); - return ENOMEM; - } - /* The user account may be set not to want the PAC */ if (!samba_princ_needs_pac(server)) { talloc_free(mem_ctx); return EINVAL; } - nt_status = samba_kdc_update_pac_blob(mem_ctx, context, - pac, pac_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Building PAC failed: %s\n", - nt_errstr(nt_status))); - talloc_free(mem_ctx); - return EINVAL; - } + /* If the krbtgt was generated by an RODC, and we are not that + * RODC, then we need to regenerate the PAC - we can't trust + * it */ + if (samba_krbtgt_was_untrusted_rodc(krbtgt)) { + nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return EINVAL; + } + } else { + pac_blob = talloc_zero(mem_ctx, DATA_BLOB); + if (!pac_blob) { + talloc_free(mem_ctx); + return ENOMEM; + } + nt_status = samba_kdc_update_pac_blob(mem_ctx, context, + pac, pac_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Building PAC failed: %s\n", + nt_errstr(nt_status))); + talloc_free(mem_ctx); + return EINVAL; + } + } /* We now completely regenerate this pac */ krb5_pac_free(context, *pac); |