diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-16 09:33:05 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-11-15 23:59:34 +0000 |
commit | 96bdcf7ea9d06e4681af012974458d67d264cfda (patch) | |
tree | 4da96677ab3f426fb56a3395ba89243e97d0839a | |
parent | a32ade647db710ed84565891fca3e65dd609f69d (diff) | |
download | samba-96bdcf7ea9d06e4681af012974458d67d264cfda.tar.gz samba-96bdcf7ea9d06e4681af012974458d67d264cfda.tar.bz2 samba-96bdcf7ea9d06e4681af012974458d67d264cfda.zip |
s4-kdc Don't regenerate the PAC for cross-realm tickets
We should never get a cross-realm ticket that was not issued by a full
DC, but if someone claims to have such a thing, reject it rather than
segfaulting on the NULL client pointer.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
-rw-r--r-- | source4/kdc/wdc-samba4.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index a6487110f7..fb5816d33b 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -84,6 +84,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, * RODC, then we need to regenerate the PAC - we can't trust * it */ if (samba_krbtgt_was_untrusted_rodc(krbtgt)) { + if (client == NULL) { + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); |