s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if needed

Note that samba_kdc_get_claims_data() already handles the
samba_kdc_entry_pac_issued_by_trust() case to clear the
claims received from a trusted domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 928a7fda08474c7274e5e83141f7f327e7bb6081..f2e1f21a16c21210d37cc35f4302ae493cf32c79 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2636,6 +2636,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
        enum auth_group_inclusion group_inclusion;
        bool compounded_auth = false;
        bool need_device = false;
+       bool regenerate_client_claims = false;
        size_t i = 0;
 
        if (server_audit_info_out != NULL) {
@@ -2697,7 +2698,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                         kdc_db_ctx,
                                         client,
                                         &pac_claims.user_claims,
-                                        NULL); /* _need_regeneration */
+                                        &regenerate_client_claims);
        if (code) {
                goto done;
        }
@@ -2894,14 +2895,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                        code = map_errno_from_nt_status(nt_status);
                        goto done;
                }
-
-               /*
-                * TODO: we need claim translation over trusts,
-                * for now we just clear them...
-                */
-               if (samba_kdc_entry_pac_issued_by_trust(client)) {
-                       client_claims_blob = &data_blob_null;
-               }
        } else {
                nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
                                                          user_info_dc_const,
@@ -2935,8 +2928,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                goto done;
                        }
                }
+       }
 
-               /* Don't trust RODC-issued claims. Regenerate them. */
+       if (regenerate_client_claims) {
                nt_status = samba_kdc_get_claims_blob(tmp_ctx,
                                                      pac_claims.user_claims,
                                                      &client_claims_blob);