kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals

Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
 as there was a knownfail conflict with the test_remove_pac case
 which succeeds on this branch]

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 32cfa2afa884e2770a4839d8b636c316428d0bef..4d058bad3da7a7430330b6cd2dfe68f7d874b85b 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -144,5 +144,4 @@
 #
 # TGS tests
 #
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 00f652db14a4fda6408f563157588ff416c9049c..0f845fb9b1cefbc5fe9b6f242a40acff80813fed 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -276,7 +276,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
 #
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required\(ad_dc\)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required\(ad_dc\)
 #

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 2936fe2d18a0f9d8cbe7a6ea9d601a3f56e974de..689e14e1c38d5b4c9fbe8b07773d49d58e545a32 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -495,18 +495,11 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
        ssize_t srv_checksum_idx = -1;
        ssize_t kdc_checksum_idx = -1;
        krb5_pac new_pac = NULL;
-       bool ok;
 
        if (client != NULL) {
                client_skdc_entry =
                        talloc_get_type_abort(client->e_data,
                                              struct samba_kdc_entry);
-
-               /* The user account may be set not to want the PAC */
-               ok = samba_princ_needs_pac(client_skdc_entry);
-               if (!ok) {
-                       return EINVAL;
-               }
        }
 
        if (server == NULL) {

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 88bcb734fc5646fe9abce54fd0c054cbe2509a1f..688103d8477bbbb0547dd866711d6e731dfa3302 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -651,11 +651,6 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
        }
        *_upn_info_blob = NULL;
 
-       /* The user account may be set not to want the PAC */
-       if ( ! samba_princ_needs_pac(p)) {
-               return NT_STATUS_OK;
-       }
-
        logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
        if (logon_blob == NULL) {
                return NT_STATUS_NO_MEMORY;