s4:kdc: Always regard device info when the client performs RBCD

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 842309bafe8edc54c2c2dcab767dc0d8ea353c88..9c86662ea0451aa939bbfb33301acb9faff6f456 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -127,10 +127,6 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index cf606d3e6dda359aaf10f9dfd4b48f0e1d82f0f3..107595c64aa56e1c87fb71e6c8a7f3c43de92f64 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3413,7 +3413,8 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
        struct security_token *security_token = NULL;
        uint32_t session_info_flags =
                AUTH_SESSION_INFO_DEFAULT_GROUPS |
-               AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+               AUTH_SESSION_INFO_SIMPLE_PRIVILEGES |
+               AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
        /*
         * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
         * in security descriptors it creates for RBCD, its KDC only requires