We introduced a notion of soft vs. hard aliases in the previous commit
(hdb: Distinguish soft and hard principal aliases).
This commit corrects existing test cases and adds new test cases.
Soft aliases allow for the configuration of referrals using HDB entries.
Hard aliases are like copies of the aliased HDB entries. These are
useful for renaming principals (and realms).
See the preceding commit.
We introduce a notion of soft vs. hard aliases.
Soft aliases are aliases of WELLKNOWN/REFERRALS/TARGET@$some_realm,
where $some_realm is the realm we want the KDC to issue referrals to.
Hard aliases are all other aliases, where if the client requested
canonicalization then the KDC should update the names in the responses,
or else if the client did not request canonicalization, then the KDC
should treat the alias as a distinct principal with the same keys as the
alias' canonical name.
The logic for dealing with these is entirely located in the HDB
backends.
An HDB backend can implement hard aliases by replacing a found
HDB_entry's principal with the name used to look it up.
An HDB backend can implement soft aliases by returning
HDB_ERR_WRONG_REALM to trigger the AS or TGS to return a referral.
Currently only in-tree HDB backends support this feature that use
_hdb_fetch_kvno() as their hdb_fetch_kvno() method implementation.
That's all HDB backends other than SQLite3.
Out-of-tree backends should be unaffected.
We've added a decoration field to HDB_entry: aliased -- an int
(boolean). This is only used internally in libhdb at this time.
Out-of-tree HDB backends could have a use for this decoration, but we
have not decided whether it is a public interface yet.
INTxx_MIN plus a positive integer of the same type will always be
negative, and so the result will always compare less than a positive
integer. Fix this check so that we produce the correct result when
adding two negative time_t values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In a cross-realm situation the client KDC exchange may use on orphaned
strengthen_key (from the previous exchange) if the current KDC
doesn't not support FAST and the previous KDC supported it.
Otherwise init_creds_step() or fast_tgs_strengthen_key()
generate the reply key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Since plugins no longer have a way of accessing the 'ek' member of the
request structure, this function provides a way for a plugin to add
encrypted padata to the response.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This allows these functions to be used with PACs obtained from KDC
accessor functions such as kdc_request_get_pac().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Closes: #969
PAC_TYPE_CLIENT_CLAIMS_INFO and PAC_TYPE_DEVICE_CLAIMS_INFO are
of zero length unless any claims are actually defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Honor the return code of _kdc_audit_request(), propagating if non-zero. Note
that this is principally intended to allow the audit plugin to return
HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply
or not. If the audit plugin also wishes to rewrite r->error_code, it must do so
separately.
Closes: #964
_kdc_fast_check_armor_pac() already checks the PAC of the armor,
but it should also remember it if it's an TGS-REQ with explicit armor.
This will allow the kdc pac hooks to generate a compound identity PAC
with PAC_TYPE_DEVICE_INFO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Closes: #967
