summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-28 12:53:06 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-29 04:23:07 +1000
commit990720b8cd869a375686cc78f270e68ca9bd28b3 (patch)
tree65d0e1c3257d52988dc6b543242211d0d90b9c03
parent85f7bce865e611c5d18b67a3f34723f7da7df92e (diff)
downloadsamba-990720b8cd869a375686cc78f270e68ca9bd28b3.tar.gz
samba-990720b8cd869a375686cc78f270e68ca9bd28b3.tar.bz2
samba-990720b8cd869a375686cc78f270e68ca9bd28b3.zip
s4-kdc Add function to determine if a hdb entry is a RODC
This is important, as we must ignore the PAC from an RODC. Andrew Bartlett
-rw-r--r--source4/kdc/pac-glue.c16
-rw-r--r--source4/kdc/pac-glue.h2
2 files changed, 18 insertions, 0 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3eeb26c98d..b9a686cf14 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -119,6 +119,22 @@ bool samba_princ_needs_pac(struct hdb_entry_ex *princ)
return true;
}
+/* Was the krbtgt an RODC (and we are not) */
+bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
+{
+
+ struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
+ int rodc_krbtgt_number;
+
+ /* The service account may be set not to want the PAC */
+ rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
+ if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+ return true;
+ }
+
+ return false;
+}
+
NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
struct hdb_entry_ex *client,
DATA_BLOB **_pac_blob)
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 4723a72b07..c5cc661c43 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -27,6 +27,8 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
bool samba_princ_needs_pac(struct hdb_entry_ex *princ);
+bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ);
+
NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
struct hdb_entry_ex *client,
DATA_BLOB **_pac_blob);