kdc: update PAC hooks for Samba

Samba includes the user's long-term credentials (encrypted in the AS reply key) to allow legacy authentication protocols such as NTLM to work even if the pre-authentication mechanism replaced the reply key (as PKINIT does). Samba also needs to know whether the client explicitly requested a PAC be included (or excluded), in order to defer PAC exclusion until a service ticket is issued (thereby avoiding a name binding attack if the user is renamed between TGT and service ticket issuance). References: https://bugzilla.samba.org/show_bug.cgi?id=11441 https://bugzilla.samba.org/show_bug.cgi?id=14561 Closes: #864 Original authors: - Joseph Sutton <josephsutton@catalyst.net.nz> - Andrew Bartlett <abartlet@samba.org> - Stefan Metzmacher <metze@samba.org>
2021-12-14 12:40:31 +11:00
parent fcd8e33a98
commit 2087e07c1e
6 changed files with 77 additions and 27 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1969,15 +1969,18 @@ server_lookup:
 		goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */

 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
-	    if (mspac) {
-		krb5_pac_free(context, mspac);
-		mspac = NULL;
-		ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &mspac);
-		if (ret) {
-		    kdc_log(context, config, 4, "PAC generation failed for -- %s",
-			    tpn);
-		    goto out;
-		}
+	    krb5_pac_free(context, mspac);
+	    mspac = NULL;
+
+	    ret = _kdc_pac_generate(context,
+				    s4u2self_impersonated_client,
+				    server,
+				    NULL,
+				    NULL,
+				    &mspac);
+	    if (ret) {
+		kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn);
+		goto out;
 	    }

 	    /*