mit-kdc: do we always include the PAC for AS requests?
Isaac Boukris
iboukris at gmail.com
Mon Sep 17 14:49:58 UTC 2018
On Mon, Sep 17, 2018 at 6:22 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hi team,
>
> I'm looking at this code in
> 'source4/kdc/mit-kdb/kdb_samba_policies.c', and was wondering why we
> first check for KRB5_KDB_FLAG_INCLUDE_PAC in AS requests, but later we
> just get the PAC anyway even if the flag is not set.
> Or am I missing something? See code spinet below.
>
> if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
> code = ks_get_pac(context, client, client_key, &pac);
> if (code != 0) {
> goto done;
> }
> }
>
> if (!is_as_req) {
> code = ks_verify_pac(context,
> flags,
> ks_client_princ,
> client,
> server,
> krbtgt,
> server_key,
> krbtgt_key,
> authtime,
> tgt_auth_data,
> &pac);
> if (code != 0) {
> goto done;
> }
> }
>
> if (pac == NULL && client != NULL) {
>
> code = ks_get_pac(context, client, client_key, &pac);
> if (code != 0) {
> goto done;
> }
> }
I've tested with 'kinit --no-request-pac' and the KDC actually behaves ok.
However, that's because the server doesn't call the plugin's
sign_authdata() at all if KRB5_KDB_FLAG_INCLUDE_PAC is false.
See: https://buildfarm.opencsw.org/source/xref/krb5/src/kdc/kdc_authdata.c#354
Though the plugin code could still be simplified.
More information about the samba-technical
mailing list