From 49f8113fabd2603b45439404c91d350b4d6eaeac Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Jan 2012 18:06:55 +1100
Subject: s4-kdc Do the KDC PAC checksum validation in the Samba plugin

Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know.  We cannot check the KDC signature on incoming trusts.

Andrew Bartlett
---
 source4/kdc/mit_samba.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'source4/kdc/mit_samba.c')

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 06ee46eac0..f56e6796d0 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -254,8 +254,11 @@ static int mit_samba_update_pac_data(struct mit_samba_context *ctx,
 		goto done;
 	}
 
+	/* TODO: An implementation-specific decision will need to be
+	 * made as to when to check the KDC pac signature, and how to
+	 * untrust untrusted RODCs */
 	nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context,
-					      pac, logon_blob);
+					      pac, logon_blob, NULL, NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Building PAC failed: %s\n",
 			  nt_errstr(nt_status)));
-- 
cgit