From 990720b8cd869a375686cc78f270e68ca9bd28b3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 28 Sep 2010 12:53:06 +1000
Subject: s4-kdc Add function to determine if a hdb entry is a RODC

This is important, as we must ignore the PAC from an RODC.

Andrew Bartlett
---
 source4/kdc/pac-glue.c | 16 ++++++++++++++++
 source4/kdc/pac-glue.h |  2 ++
 2 files changed, 18 insertions(+)

(limited to 'source4')

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3eeb26c98d..b9a686cf14 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -119,6 +119,22 @@ bool samba_princ_needs_pac(struct hdb_entry_ex *princ)
 	return true;
 }
 
+/* Was the krbtgt an RODC (and we are not) */
+bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
+{
+
+	struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
+	int rodc_krbtgt_number;
+
+	/* The service account may be set not to want the PAC */
+	rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
+	if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+		return true;
+	}
+
+	return false;
+}
+
 NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
 				struct hdb_entry_ex *client,
 				DATA_BLOB **_pac_blob)
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 4723a72b07..c5cc661c43 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -27,6 +27,8 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
 
 bool samba_princ_needs_pac(struct hdb_entry_ex *princ);
 
+bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ);
+
 NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
 				struct hdb_entry_ex *client,
 				DATA_BLOB **_pac_blob);
-- 
cgit