diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-09-28 12:53:06 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-09-29 04:23:07 +1000 |
commit | 990720b8cd869a375686cc78f270e68ca9bd28b3 (patch) | |
tree | 65d0e1c3257d52988dc6b543242211d0d90b9c03 | |
parent | 85f7bce865e611c5d18b67a3f34723f7da7df92e (diff) | |
download | samba-990720b8cd869a375686cc78f270e68ca9bd28b3.tar.gz samba-990720b8cd869a375686cc78f270e68ca9bd28b3.tar.bz2 samba-990720b8cd869a375686cc78f270e68ca9bd28b3.zip |
s4-kdc Add function to determine if a hdb entry is a RODC
This is important, as we must ignore the PAC from an RODC.
Andrew Bartlett
-rw-r--r-- | source4/kdc/pac-glue.c | 16 | ||||
-rw-r--r-- | source4/kdc/pac-glue.h | 2 |
2 files changed, 18 insertions, 0 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 3eeb26c98d..b9a686cf14 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -119,6 +119,22 @@ bool samba_princ_needs_pac(struct hdb_entry_ex *princ) return true; } +/* Was the krbtgt an RODC (and we are not) */ +bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ) +{ + + struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry); + int rodc_krbtgt_number; + + /* The service account may be set not to want the PAC */ + rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1); + if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) { + return true; + } + + return false; +} + NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, struct hdb_entry_ex *client, DATA_BLOB **_pac_blob) diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 4723a72b07..c5cc661c43 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -27,6 +27,8 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, bool samba_princ_needs_pac(struct hdb_entry_ex *princ); +bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ); + NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, struct hdb_entry_ex *client, DATA_BLOB **_pac_blob); |