]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 291a662)
s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry
authorStefan Metzmacher <metze@samba.org>
Tue, 11 Mar 2025 11:09:43 +0000 (12:09 +0100)
committerRalph Boehme <slow@samba.org>
Thu, 3 Apr 2025 09:36:31 +0000 (09:36 +0000)
If we have a device_pac we also have device_server/krbtgt_entry, while
device_entry is optional.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
source4/kdc/hdb-samba4.c patch | blob | blame | history

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 71a54da5a6526b08c0bf8a384ceb3b895d565b5a..01450148a1c65ff31ac0466066ec5e7943f523c6 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -357,16 +357,26 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
                                               client_skdc_entry,
                                               client_krbtgt_skdc_entry);
 
-       if (device != NULL) {
+       if (device_pac != NULL) {
                struct samba_kdc_entry *device_skdc_entry = NULL;
                const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
 
-               device_skdc_entry = talloc_get_type_abort(device->context,
-                                                         struct samba_kdc_entry);
+               /*
+                * If we have a armor_pac we also have armor_server,
+                * otherwise we can't decrypt the ticket and get to
+                * the pac.
+                */
+               device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
+                                                                struct samba_kdc_entry);
 
-               if (device_krbtgt != NULL) {
-                       device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
-                                                                        struct samba_kdc_entry);
+               /*
+                * The armor ticket might be from a different
+                * domain, so we may not have a local db entry
+                * for the device.
+                */
+               if (device != NULL) {
+                       device_skdc_entry = talloc_get_type_abort(device->context,
+                                                                 struct samba_kdc_entry);
                }
 
                device_pac_entry = samba_kdc_entry_pac(device_pac,
Mirror of https://github.com/samba-team/samba.git