s4:kdc: Don’t enforce a server authentication policy for the krbtgt

As the server authentication policy will be non-NULL only for entries
looked up as servers, the krbtgt shouldn’t have an authentication policy
anyway. But we might as well be explicit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index b8efb754c04af4bc0bb960a06e4414998fa93f42..36486845efdde32b53d6bc832763cfce1be579bc 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2524,7 +2524,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
         * Enforce the AllowedToAuthenticateTo part of an authentication policy,
         * if one is present.
         */
-       if (authn_policy_restrictions_present(server->server_policy)) {
+       if (!is_tgs && authn_policy_restrictions_present(server->server_policy)) {
                const struct samba_kdc_entry *auth_entry = NULL;
                struct auth_user_info_dc *auth_user_info_dc = NULL;