diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-11-24 20:41:54 +1300 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:01 +0200 |
| commit | 49aafce0a705d47ffd4753ce6c6f452c4f7aa882 (patch) | |
| tree | 88fc82f71284eaf85b323d39f64eec49093bcaa8 | |
| parent | 65bb0e3201d60d87a3f228ea161644d9a5f918c5 (diff) | |
| download | samba-49aafce0a705d47ffd4753ce6c6f452c4f7aa882.tar.gz | |
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184
(cherry picked from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a)
| -rw-r--r-- | selftest/knownfail_heimdal_kdc | 6 | ||||
| -rw-r--r-- | source4/kdc/wdc-samba4.c | 6 |
2 files changed, 6 insertions, 6 deletions
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 53cc8e6b6a2..32465cb6042 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -274,9 +274,3 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index b1d011c09a9..d7ce34fb3a9 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -459,6 +459,12 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, talloc_free(mem_ctx); return EINVAL; } + if (delegated_proxy_principal == NULL && requester_sid_idx == -1) { + DEBUG(1, ("PAC_TYPE_REQUESTER_SID missing\n")); + SAFE_FREE(types); + talloc_free(mem_ctx); + return KRB5KDC_ERR_TGT_REVOKED; + } /* * The server account may be set not to want the PAC. |