From 996d7786c7d0ae63fe440f3b991f90a316e27b35 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Mar 2025 11:40:45 +0100 Subject: [PATCH] s4:kdc: let samba_wdc_reget_pac() use krbtgt_skdc_entry as delegated_proxy_krbtgt_entry Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- source4/kdc/wdc-samba4.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 685d25b88b9..eeab30d8a12 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -304,6 +304,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, { krb5_context context = kdc_request_get_context((kdc_request_t)r); struct samba_kdc_entry *delegated_proxy_skdc_entry = NULL; + const struct samba_kdc_entry *delegated_proxy_krbtgt_entry = NULL; krb5_const_principal delegated_proxy_principal = NULL; struct samba_kdc_entry_pac delegated_proxy_pac_entry = {}; struct samba_kdc_entry *client_skdc_entry = NULL; @@ -333,16 +334,23 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, delegated_proxy_skdc_entry = talloc_get_type_abort(delegated_proxy->context, struct samba_kdc_entry); delegated_proxy_principal = delegated_proxy->principal; + + /* + * The S4U2Proxy + * evidence ticket could + * not have been signed + * or issued by a krbtgt + * trust account. + */ + if (!krbtgt_skdc_entry->is_krbtgt) { + return EINVAL; + } + delegated_proxy_krbtgt_entry = krbtgt_skdc_entry; } delegated_proxy_pac_entry = samba_kdc_entry_pac(delegated_proxy_pac, delegated_proxy_skdc_entry, - /* The S4U2Proxy - * evidence ticket could - * not have been signed - * or issued by a krbtgt - * trust account. */ - NULL /* krbtgt */); + delegated_proxy_krbtgt_entry); if (client != NULL) { client_skdc_entry = talloc_get_type_abort(client->context, -- 2.47.3