s4:kdc: make sure we expand group memberships of the local domain

[amitay/samba.git] / source4 / kdc / pac-glue.c

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 9b5f30917a6ae5da518b619d6cf686060ae842e9..126001cb7186e806414002ae10c57807a53fc168 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -763,6 +763,17 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
                return NT_STATUS_UNSUCCESSFUL;
        }
 
+       /*
+        * We need to expand group memberships within our local domain,
+        * as the token might be generated by a trusted domain.
+        */
+       nt_status = authsam_update_user_info_dc(mem_ctx,
+                                               krbtgt->kdc_db_ctx->samdb,
+                                               user_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
+       }
+
        nt_status = samba_get_logon_info_pac_blob(mem_ctx, 
                                                  user_info_dc, pac_blob);