From 1fdff3710511c92bd103473e4c296c98f971dd13 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 4 May 2023 15:06:40 +1200 Subject: s4:kdc: Look up authentication policies for Kerberos clients and servers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- source4/auth/sam.c | 14 +++++++++++++- source4/kdc/db-glue.c | 35 +++++++++++++++++++++++++++++++++++ source4/kdc/samba_kdc.h | 2 ++ source4/kdc/wscript_build | 2 +- 4 files changed, 51 insertions(+), 2 deletions(-) diff --git a/source4/auth/sam.c b/source4/auth/sam.c index b66bfbff8ae..6d25afa6131 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -64,12 +64,23 @@ /* Needed for RODC rule processing */ \ "msDS-KrbTgtLinkBL" +#define AUTHN_POLICY_ATTRS \ + /* Required for authentication policies / silos */ \ + "msDS-AssignedAuthNPolicy", \ + "msDS-AssignedAuthNPolicySilo" + const char *krbtgt_attrs[] = { + /* + * Authentication policies will not be enforced on the TGS + * account. Don’t include the relevant attributes in the account search. + */ KRBTGT_ATTRS, NULL }; const char *server_attrs[] = { - KRBTGT_ATTRS, NULL + KRBTGT_ATTRS, + AUTHN_POLICY_ATTRS, + NULL }; const char *user_attrs[] = { @@ -82,6 +93,7 @@ const char *user_attrs[] = { "msDS-ResultantPSO", KRBTGT_ATTRS, + AUTHN_POLICY_ATTRS, "logonHours", diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 6d33ca4aa95..375a2715dc6 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -34,6 +34,7 @@ #include "../lib/crypto/md4.h" #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" +#include "kdc/authn_policy_util.h" #include "kdc/sdb.h" #include "kdc/samba_kdc.h" #include "kdc/db-glue.h" @@ -1089,6 +1090,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, ENC_ALL_TYPES; const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); + const struct authn_kerberos_client_policy *authn_client_policy = NULL; + const struct authn_server_policy *authn_server_policy = NULL; + ZERO_STRUCTP(entry); if (supported_enctypes == 0) { @@ -1392,6 +1396,34 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, *entry->max_renew = kdc_db_ctx->policy.renewal_lifetime; + /* + * A principal acting as a client that is not being looked up as the + * principal of an armor ticket may have an authentication policy apply + * to it. + */ + if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && + (flags & SDB_F_FOR_AS_REQ) && + !(flags & SDB_F_ARMOR_PRINCIPAL)) + { + ret = authn_policy_kerberos_client(kdc_db_ctx->samdb, mem_ctx, msg, + &authn_client_policy); + if (ret) { + goto out; + } + } + + /* + * A principal acting as a server may have an authentication policy + * apply to it. + */ + if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { + ret = authn_policy_server(kdc_db_ctx->samdb, mem_ctx, msg, + &authn_server_policy); + if (ret) { + goto out; + } + } + if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) { int result; const struct auth_user_info_dc *user_info_dc = NULL; @@ -1628,6 +1660,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, p->msg = talloc_steal(p, msg); p->supported_enctypes = pa_supported_enctypes; + p->client_policy = talloc_steal(p, authn_client_policy); + p->server_policy = talloc_steal(p, authn_server_policy); + out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index c183e04eca7..8410a5bebac 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -63,6 +63,8 @@ struct samba_kdc_entry { struct ldb_message *msg; struct ldb_dn *realm_dn; struct auth_user_info_dc *user_info_dc; + const struct authn_kerberos_client_policy *client_policy; + const struct authn_server_policy *server_policy; bool is_krbtgt; bool is_rodc; bool is_trust; diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 0e586474c2d..5c713d82ecb 100644 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -135,7 +135,7 @@ bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('db-glue', source='db-glue.c', - deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE', + deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE authn_policy_util', private_library=True, ) -- cgit v1.2.1