From 10d6d77a2720577e51bc93c51c85261c1e3d37b8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 17 May 2023 11:55:16 +1200 Subject: s4:kdc: Have get_claims_for_principal() take the entire principal The ldb_message contains more information than just the DN, such as which authentication policy or silo is assigned. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- source4/kdc/ad_claims.c | 13 +++++++------ source4/kdc/ad_claims.h | 2 +- source4/kdc/pac-glue.c | 6 +++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/source4/kdc/ad_claims.c b/source4/kdc/ad_claims.c index ad30683c03e..84cfb0abb60 100644 --- a/source4/kdc/ad_claims.c +++ b/source4/kdc/ad_claims.c @@ -680,7 +680,7 @@ static bool is_valid_claim_attribute_syntax(const DATA_BLOB source_syntax, static int get_all_claims(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - struct ldb_dn *principal_dn, + const struct ldb_message *principal, uint32_t principal_class_id, DATA_BLOB *claims_blob) { @@ -944,12 +944,13 @@ static int get_all_claims(struct ldb_context *ldb, } ret = ldb_search(ldb, tmp_ctx, &principal_res, - principal_dn, + principal->dn, LDB_SCOPE_BASE, ad_claim_attrs, NULL); if (ret != LDB_SUCCESS) { + const char *dn = ldb_dn_get_linearized(principal->dn); DBG_ERR("Failed to find principal %s to construct claims\n", - ldb_dn_get_linearized(principal_dn)); + dn != NULL ? dn : ""); talloc_free(tmp_ctx); return ret; } @@ -1044,7 +1045,7 @@ static int get_all_claims(struct ldb_context *ldb, int get_claims_for_principal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - struct ldb_dn *principal_dn, + const struct ldb_message *principal, DATA_BLOB *claims_blob) { struct ldb_result *principal_res = NULL; @@ -1062,7 +1063,7 @@ int get_claims_for_principal(struct ldb_context *ldb, *claims_blob = data_blob_null; ret = ldb_search(ldb, mem_ctx, &principal_res, - principal_dn, + principal->dn, LDB_SCOPE_BASE, principal_attrs, NULL); if (ret != LDB_SUCCESS) { @@ -1087,7 +1088,7 @@ int get_claims_for_principal(struct ldb_context *ldb, return get_all_claims(ldb, mem_ctx, - principal_dn, + principal, principal_class->governsID_id, claims_blob); } diff --git a/source4/kdc/ad_claims.h b/source4/kdc/ad_claims.h index aea9c8d07cc..383d25f76aa 100644 --- a/source4/kdc/ad_claims.h +++ b/source4/kdc/ad_claims.h @@ -26,7 +26,7 @@ int get_claims_for_principal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - struct ldb_dn *principal_dn, + const struct ldb_message *principal, DATA_BLOB *claims_blob); #endif diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 6d5883f2d17..a7e6636659d 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -245,7 +245,7 @@ NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx, static NTSTATUS samba_get_claims_blob(TALLOC_CTX *mem_ctx, struct ldb_context *samdb, - struct ldb_dn *principal_dn, + const struct ldb_message *principal, DATA_BLOB *client_claims_data) { union PAC_INFO client_claims; @@ -257,7 +257,7 @@ NTSTATUS samba_get_claims_blob(TALLOC_CTX *mem_ctx, ret = get_claims_for_principal(samdb, mem_ctx, - principal_dn, + principal, client_claims_data); if (ret != LDB_SUCCESS) { return dsdb_ldb_err_to_ntstatus(ret); @@ -1148,7 +1148,7 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx, nt_status = samba_get_claims_blob(mem_ctx, p->kdc_db_ctx->samdb, - p->msg->dn, + p->msg, claims_blob); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("Building claims failed: %s\n", -- cgit v1.2.1