kdc: update PAC hooks for Samba

Samba includes the user's long-term credentials (encrypted in the AS reply key) to allow legacy authentication protocols such as NTLM to work even if the pre-authentication mechanism replaced the reply key (as PKINIT does). Samba also needs to know whether the client explicitly requested a PAC be included (or excluded), in order to defer PAC exclusion until a service ticket is issued (thereby avoiding a name binding attack if the user is renamed between TGT and service ticket issuance). References: https://bugzilla.samba.org/show_bug.cgi?id=11441 https://bugzilla.samba.org/show_bug.cgi?id=14561 Closes: #864 Original authors: - Joseph Sutton <josephsutton@catalyst.net.nz> - Andrew Bartlett <abartlet@samba.org> - Stefan Metzmacher <metze@samba.org>
2021-12-14 12:40:31 +11:00
parent fcd8e33a98
commit 2087e07c1e
6 changed files with 77 additions and 27 deletions
--- a/tests/plugin/windc.c
+++ b/tests/plugin/windc.c
@@ -20,11 +20,20 @@ windc_fini(void *ctx)

 static krb5_error_code KRB5_CALLCONV
 pac_generate(void *ctx, krb5_context context,
-	     struct hdb_entry_ex *client, krb5_pac *pac)
+	     struct hdb_entry_ex *client,
+	     struct hdb_entry_ex *server,
+	     const krb5_keyblock *pk_replykey,
+	     const krb5_boolean *pac_request,
+	     krb5_pac *pac)
 {
    krb5_error_code ret;
    krb5_data data;

+    if (pac_request != NULL && *pac_request == FALSE) {
+	*pac = NULL;
+	return 0;
+    }
+
    krb5_warnx(context, "pac generate");

    data.data = "\x00\x01";