summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-16 09:30:55 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-15 23:17:05 +0000
commita32ade647db710ed84565891fca3e65dd609f69d (patch)
tree2e4a7bb6ec562d7a9b6ec547256c1cc6e11da63e /source4
parent4041640bd6d7f8747c8229b02dbb847056bdaa35 (diff)
downloadsamba-a32ade647db710ed84565891fca3e65dd609f69d.tar.gz
samba-a32ade647db710ed84565891fca3e65dd609f69d.tar.bz2
samba-a32ade647db710ed84565891fca3e65dd609f69d.zip
s4-kdc Don't always regenerate the PAC
The PAC was being regenerated on all normal DCs, because they don't have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check if it's set and not equal to our RODC number, allowing RODCs to trust the full DCs and itself, but not other RODCs. Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r--source4/kdc/pac-glue.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 33b845d356..3c0c50430e 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -126,9 +126,11 @@ bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
int rodc_krbtgt_number;
- /* The service account may be set not to want the PAC */
+ /* Determine if this was printed by an RODC */
rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
- if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+ if (rodc_krbtgt_number == -1) {
+ return false;
+ } else if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
return true;
}