git.samba.org / nivanova / samba-autobuild / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4041640)
s4-kdc Don't always regenerate the PAC
authorAndrew Bartlett <abartlet@samba.org>
Mon, 15 Nov 2010 22:30:55 +0000 (09:30 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 15 Nov 2010 23:17:05 +0000 (23:17 +0000)
The PAC was being regenerated on all normal DCs, because they don't
have a msDS-SecondaryKrbTgtNumber attribute.  Instead we need to check
if it's set and not equal to our RODC number, allowing RODCs to trust
the full DCs and itself, but not other RODCs.

Andrew Bartlett

source4/kdc/pac-glue.c patch | blob | history

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 33b845d356de9ef232efff880b3cf9c8bb6b2d19..3c0c50430e259ecef7defcd52d1dd40dddedcfd4 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -126,9 +126,11 @@ bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
        struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
        int rodc_krbtgt_number;
 
-       /* The service account may be set not to want the PAC */
+       /* Determine if this was printed by an RODC */
        rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
-       if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+       if (rodc_krbtgt_number == -1) {
+               return false;
+       } else if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
                return true;
        }
 
Unnamed repository; edit this file 'description' to name the repository.