From 887f0cf243a3d4bc3e87654794c3bc8ec6857aac Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 23 Mar 2022 16:34:25 +0100
Subject: [PATCH] s4:kdc: Fix S4U2Proxy in RODC case to return an error

Tested also against Windows Server 2022.

Details:
https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 selftest/knownfail_heimdal_kdc |  1 -
 source4/kdc/pac-glue.c         | 16 ++++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 73c72451ba5..4ae27eacb09 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -44,7 +44,6 @@
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index fcc17baad0f..5db40375e7f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1522,6 +1522,22 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			}
 			goto done;
 		}
+
+		/*
+		 * The RODC PAC data isn't trusted for authorization as it may
+		 * be stale. The only thing meaningful we can do with an RODC
+		 * account on a full DC is exchange the RODC TGT for a 'real'
+		 * TGT.
+		 *
+		 * So we match Windows (at least server 2022) and
+		 * don't allow S4U2Self.
+		 *
+		 * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
+		 */
+		if (flags & SAMBA_KDC_FLAG_PROTOCOL_TRANSITION) {
+			code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+			goto done;
+		}
 	} else {
 		pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
 		if (pac_blob == NULL) {
-- 
2.34.1