diff options
Diffstat (limited to 'source4/kdc/db-glue.c')
-rw-r--r-- | source4/kdc/db-glue.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 6d33ca4aa95..375a2715dc6 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -34,6 +34,7 @@ #include "../lib/crypto/md4.h" #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" +#include "kdc/authn_policy_util.h" #include "kdc/sdb.h" #include "kdc/samba_kdc.h" #include "kdc/db-glue.h" @@ -1089,6 +1090,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, ENC_ALL_TYPES; const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); + const struct authn_kerberos_client_policy *authn_client_policy = NULL; + const struct authn_server_policy *authn_server_policy = NULL; + ZERO_STRUCTP(entry); if (supported_enctypes == 0) { @@ -1392,6 +1396,34 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, *entry->max_renew = kdc_db_ctx->policy.renewal_lifetime; + /* + * A principal acting as a client that is not being looked up as the + * principal of an armor ticket may have an authentication policy apply + * to it. + */ + if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && + (flags & SDB_F_FOR_AS_REQ) && + !(flags & SDB_F_ARMOR_PRINCIPAL)) + { + ret = authn_policy_kerberos_client(kdc_db_ctx->samdb, mem_ctx, msg, + &authn_client_policy); + if (ret) { + goto out; + } + } + + /* + * A principal acting as a server may have an authentication policy + * apply to it. + */ + if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { + ret = authn_policy_server(kdc_db_ctx->samdb, mem_ctx, msg, + &authn_server_policy); + if (ret) { + goto out; + } + } + if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) { int result; const struct auth_user_info_dc *user_info_dc = NULL; @@ -1628,6 +1660,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, p->msg = talloc_steal(p, msg); p->supported_enctypes = pa_supported_enctypes; + p->client_policy = talloc_steal(p, authn_client_policy); + p->server_policy = talloc_steal(p, authn_server_policy); + out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ |