Tested also against Windows Server 2022.
Details:
https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
}
goto done;
}
+
+ /*
+ * The RODC PAC data isn't trusted for authorization as it may
+ * be stale. The only thing meaningful we can do with an RODC
+ * account on a full DC is exchange the RODC TGT for a 'real'
+ * TGT.
+ *
+ * So we match Windows (at least server 2022) and
+ * don't allow S4U2Self.
+ *
+ * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
+ */
+ if (flags & SAMBA_KDC_FLAG_PROTOCOL_TRANSITION) {
+ code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ goto done;
+ }
} else {
pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
if (pac_blob == NULL) {
projects / thirdparty / samba.git / commitdiff
