44a255d kdb: add minimal server referrals support for enterprise principals

Authored and Committed by abbra 3 years ago
    kdb: add minimal server referrals support for enterprise principals
    
    Implement minimal server referrals support for enterprise principals as
    defined in RFC 6806.
    
    Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
    S4U extensions. We have to verify/sign PAC and take the realm into
    account for S4U in these cases.
    
    The use of extended functions require krb5 1.17+.
    
    For PAC verification, we have to filter existing PAC CLIENT-INFO
    structure in cross-realm S4U case because otherwise old CLIENT-INFO
    would change the PAC principal due to adding or ommiting the realm in
    transition.  Since a new PAC CLIENT-INFO will be provided by
    k5_insert_client_info() anyway, we can filter it in all cases.
    
    Generate PAC only for the first S4U2Self request to the client realm
    (client != NULL). Otherwise, use the PAC from the cross-realm ticket.
    The latter PAC belongs to the impersonated user.
    
    Foreign (inner) principal look up in non-AS request returns
    KRB5_KDB_NOENTRY.
    
    Finally, in PAC signing we have to take the realm into account as well
    for S4U2Self cross-realm operation. This does not work when compiling
    against krb5 1.17 at the moment because sign_authdata() callback does
    not know whether we are dealing with an issuing referral or not. In 1.18
    a KDC will set a special client flag to signify this when asking KDB
    driver to sign a PAC record.
    
    Fixes: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>