diff options
Diffstat (limited to 'source4/kdc/wdc-samba4.c')
-rw-r--r-- | source4/kdc/wdc-samba4.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 0ebc4e7c2b..8926594698 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -60,7 +60,9 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, struct hdb_entry_ex *client, - struct hdb_entry_ex *server, krb5_pac *pac) + struct hdb_entry_ex *server, + struct hdb_entry_ex *krbtgt, + krb5_pac *pac) { struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context"); @@ -72,27 +74,37 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, return ENOMEM; } - pac_blob = talloc_zero(mem_ctx, DATA_BLOB); - if (!pac_blob) { - talloc_free(mem_ctx); - return ENOMEM; - } - /* The user account may be set not to want the PAC */ if (!samba_princ_needs_pac(server)) { talloc_free(mem_ctx); return EINVAL; } - nt_status = samba_kdc_update_pac_blob(mem_ctx, context, - pac, pac_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Building PAC failed: %s\n", - nt_errstr(nt_status))); - talloc_free(mem_ctx); - return EINVAL; - } + /* If the krbtgt was generated by an RODC, and we are not that + * RODC, then we need to regenerate the PAC - we can't trust + * it */ + if (samba_krbtgt_was_untrusted_rodc(krbtgt)) { + nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return EINVAL; + } + } else { + pac_blob = talloc_zero(mem_ctx, DATA_BLOB); + if (!pac_blob) { + talloc_free(mem_ctx); + return ENOMEM; + } + nt_status = samba_kdc_update_pac_blob(mem_ctx, context, + pac, pac_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Building PAC failed: %s\n", + nt_errstr(nt_status))); + talloc_free(mem_ctx); + return EINVAL; + } + } /* We now completely regenerate this pac */ krb5_pac_free(context, *pac); |