1 files changed, 27 insertions, 15 deletions

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 0ebc4e7c2b..8926594698 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -60,7 +60,9 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
 static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
 					   const krb5_principal client_principal,
 					   struct hdb_entry_ex *client,
-					   struct hdb_entry_ex *server, krb5_pac *pac)
+					   struct hdb_entry_ex *server,
+					   struct hdb_entry_ex *krbtgt,
+					   krb5_pac *pac)
 {
 	struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry);
 	TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context");
@@ -72,27 +74,37 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
 		return ENOMEM;
 	}
 
-	pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
-	if (!pac_blob) {
-		talloc_free(mem_ctx);
-		return ENOMEM;
-	}
-
 	/* The user account may be set not to want the PAC */
 	if (!samba_princ_needs_pac(server)) {
 		talloc_free(mem_ctx);
 		return EINVAL;
 	}
 
-	nt_status = samba_kdc_update_pac_blob(mem_ctx, context,
-					      pac, pac_blob);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(0, ("Building PAC failed: %s\n",
-			  nt_errstr(nt_status)));
-		talloc_free(mem_ctx);
-		return EINVAL;
-	}
+	/* If the krbtgt was generated by an RODC, and we are not that
+	 * RODC, then we need to regenerate the PAC - we can't trust
+	 * it */
+	if (samba_krbtgt_was_untrusted_rodc(krbtgt)) {
+		nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(mem_ctx);
+			return EINVAL;
+		}
+	} else {
+		pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
+		if (!pac_blob) {
+			talloc_free(mem_ctx);
+			return ENOMEM;
+		}
 
+		nt_status = samba_kdc_update_pac_blob(mem_ctx, context,
+						      pac, pac_blob);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DEBUG(0, ("Building PAC failed: %s\n",
+				  nt_errstr(nt_status)));
+			talloc_free(mem_ctx);
+			return EINVAL;
+		}
+	}
 	/* We now completely regenerate this pac */
 	krb5_pac_free(context, *pac);