kdc: Always add the PAC if the header TGT is from an RODC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index d89d69deed2c3c6a48fd7247ae5e99a003e7efd5..3b78491c8372c8b97ac037fa9279a7e1db8bb6c0 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -128,5 +128,4 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index ecd182702c3452f668038ce42abb81e902c181fc..8c3ce71529c85b702c9836f4d3e04e6fbe27fa6a 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -471,7 +471,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
                goto out;
        }
 
-       if (!server_skdc_entry->is_krbtgt) {
+       if (!is_untrusted && !server_skdc_entry->is_krbtgt) {
                /*
                 * The client may have requested no PAC when obtaining the
                 * TGT.