The PAC was being regenerated on all normal DCs, because they don't
have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check
if it's set and not equal to our RODC number, allowing RODCs to trust
the full DCs and itself, but not other RODCs.
Andrew Bartlett
struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
int rodc_krbtgt_number;
- /* The service account may be set not to want the PAC */
+ /* Determine if this was printed by an RODC */
rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
- if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+ if (rodc_krbtgt_number == -1) {
+ return false;
+ } else if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
return true;
}