kdc: update PAC hooks for Samba

Samba includes the user's long-term credentials (encrypted in the AS reply key) to allow legacy authentication protocols such as NTLM to work even if the pre-authentication mechanism replaced the reply key (as PKINIT does). Samba also needs to know whether the client explicitly requested a PAC be included (or excluded), in order to defer PAC exclusion until a service ticket is issued (thereby avoiding a name binding attack if the user is renamed between TGT and service ticket issuance). References: https://bugzilla.samba.org/show_bug.cgi?id=11441 https://bugzilla.samba.org/show_bug.cgi?id=14561 Closes: #864 Original authors: - Joseph Sutton <josephsutton@catalyst.net.nz> - Andrew Bartlett <abartlet@samba.org> - Stefan Metzmacher <metze@samba.org>
2021-12-14 12:40:31 +11:00
parent fcd8e33a98
commit 2087e07c1e
6 changed files with 77 additions and 27 deletions
--- a/kdc/windc_plugin.h
+++ b/kdc/windc_plugin.h
@@ -54,7 +54,11 @@ struct hdb_entry_ex;

 typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_windc_pac_generate)(void *, krb5_context,
-				 struct hdb_entry_ex *, krb5_pac *);
+					       struct hdb_entry_ex *, /* client */
+					       struct hdb_entry_ex *, /* server */
+					       const krb5_keyblock *, /* pk_replykey */
+					       const krb5_boolean *, /* pac_request */
+					       krb5_pac *);

 typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_windc_pac_verify)(void *, krb5_context,
@@ -74,7 +78,7 @@ typedef krb5_error_code
 	KDC_REQ *, METHOD_DATA *);


-#define KRB5_WINDC_PLUGIN_MINOR			6
+#define KRB5_WINDC_PLUGIN_MINOR			7
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR

 typedef struct krb5plugin_windc_ftable {