summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-16 09:33:05 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-15 23:59:34 +0000
commit96bdcf7ea9d06e4681af012974458d67d264cfda (patch)
tree4da96677ab3f426fb56a3395ba89243e97d0839a
parenta32ade647db710ed84565891fca3e65dd609f69d (diff)
downloadsamba-96bdcf7ea9d06e4681af012974458d67d264cfda.tar.gz
samba-96bdcf7ea9d06e4681af012974458d67d264cfda.tar.bz2
samba-96bdcf7ea9d06e4681af012974458d67d264cfda.zip
s4-kdc Don't regenerate the PAC for cross-realm tickets
We should never get a cross-realm ticket that was not issued by a full DC, but if someone claims to have such a thing, reject it rather than segfaulting on the NULL client pointer. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
-rw-r--r--source4/kdc/wdc-samba4.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index a6487110f7..fb5816d33b 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -84,6 +84,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
* RODC, then we need to regenerate the PAC - we can't trust
* it */
if (samba_krbtgt_was_untrusted_rodc(krbtgt)) {
+ if (client == NULL) {
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);