kdc: update PAC hooks for Samba

Samba includes the user's long-term credentials (encrypted in the AS reply key)
to allow legacy authentication protocols such as NTLM to work even if the
pre-authentication mechanism replaced the reply key (as PKINIT does).

Samba also needs to know whether the client explicitly requested a PAC be
included (or excluded), in order to defer PAC exclusion until a service ticket
is issued (thereby avoiding a name binding attack if the user is renamed
between TGT and service ticket issuance).

References:

https://bugzilla.samba.org/show_bug.cgi?id=11441
https://bugzilla.samba.org/show_bug.cgi?id=14561

Closes: #864

Original authors:
 - Joseph Sutton <josephsutton@catalyst.net.nz>
 - Andrew Bartlett <abartlet@samba.org>
 - Stefan Metzmacher <metze@samba.org>

kdc/windc.c

@@ -71,7 +71,10 @@ krb5_kdc_windc_init(krb5_context context)
 
 struct generate_uc {
     hdb_entry_ex *client;
+    hdb_entry_ex *server;
+    const krb5_keyblock *reply_key;
     krb5_pac *pac;
+    const krb5_boolean *pac_request;
 };
 
 static krb5_error_code KRB5_LIB_CALL
@@ -82,13 +85,22 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
 
     if (ft->pac_generate == NULL)
 	return KRB5_PLUGIN_NO_HANDLE;
-    return ft->pac_generate((void *)plug, context, uc->client, uc->pac);
+
+    return ft->pac_generate((void *)plug, context,
+			    uc->client,
+			    uc->server,
+			    uc->reply_key,
+			    uc->pac_request,
+			    uc->pac);
 }
 
 
 krb5_error_code
 _kdc_pac_generate(krb5_context context,
 		  hdb_entry_ex *client,
+		  hdb_entry_ex *server,
+		  const krb5_keyblock *reply_key,
+		  const krb5_boolean *pac_request,
 		  krb5_pac *pac)
 {
     krb5_error_code ret = 0;
@@ -102,9 +114,11 @@ _kdc_pac_generate(krb5_context context,
 	return 0;
 
     if (have_plugin) {
-
 	uc.client = client;
+	uc.server = server;
+	uc.reply_key = reply_key;
 	uc.pac = pac;
+	uc.pac_request = pac_request;
 
 	ret = _krb5_plugin_run_f(context, &windc_plugin_data,
 				 0, &uc, generate);