mit-kdc: do we always include the PAC for AS requests?
Andreas Schneider
asn at samba.org
Fri Sep 21 14:48:30 UTC 2018
On Monday, 17 September 2018 16:49:58 CEST Isaac Boukris via samba-technical
wrote:
> On Mon, Sep 17, 2018 at 6:22 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> > Hi team,
> >
> > I'm looking at this code in
> > 'source4/kdc/mit-kdb/kdb_samba_policies.c', and was wondering why we
> > first check for KRB5_KDB_FLAG_INCLUDE_PAC in AS requests, but later we
> > just get the PAC anyway even if the flag is not set.
> > Or am I missing something? See code spinet below.
> >
> > if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
> >
> > code = ks_get_pac(context, client, client_key, &pac);
> > if (code != 0) {
> >
> > goto done;
> >
> > }
> >
> > }
> >
> > if (!is_as_req) {
> >
> > code = ks_verify_pac(context,
> >
> > flags,
> > ks_client_princ,
> > client,
> > server,
> > krbtgt,
> > server_key,
> > krbtgt_key,
> > authtime,
> > tgt_auth_data,
> > &pac);
> >
> > if (code != 0) {
> >
> > goto done;
> >
> > }
> >
> > }
> >
> > if (pac == NULL && client != NULL) {
> >
> > code = ks_get_pac(context, client, client_key, &pac);
> > if (code != 0) {
> >
> > goto done;
> >
> > }
> >
> > }
>
> I've tested with 'kinit --no-request-pac' and the KDC actually behaves ok.
> However, that's because the server doesn't call the plugin's
> sign_authdata() at all if KRB5_KDB_FLAG_INCLUDE_PAC is false.
> See:
> https://buildfarm.opencsw.org/source/xref/krb5/src/kdc/kdc_authdata.c#354
>
> Though the plugin code could still be simplified.
Yes, I agree. Also in the meantime I think the plugin needs much more
documentation :-)
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list