s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac()

author Stefan Metzmacher <metze@samba.org>

Tue, 18 Feb 2025 16:00:01 +0000 (17:00 +0100)

committer Ralph Boehme <slow@samba.org>

Sat, 22 Feb 2025 22:06:39 +0000 (22:06 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 18 Feb 2025 16:00:01 +0000 (17:00 +0100)
committer Ralph Boehme <slow@samba.org>
Sat, 22 Feb 2025 22:06:39 +0000 (22:06 +0000)
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 9accc97445fba45b4381458377ec7467d58223a8..7417b86c4470dc86fdc7116125a135ec120cb455 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2700,6 +2700,26 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
         }
  
+       /*
+        * If we are creating a TGT, resource groups from our domain are not to
+        * be put into the PAC. Instead, we take the resource groups directly
+        * from the original PAC and copy them unmodified into the new one.
+        */
+       code = samba_kdc_get_user_info_dc(tmp_ctx,
+                                         context,
+                                         kdc_db_ctx,
+                                         client,
+                                         &user_info_dc_const,
+                                         is_tgs ? &_resource_groups : NULL);
+       if (code != 0) {
+               const char *err_str = krb5_get_error_message(context, code);
+               DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
+                       err_str != NULL ? err_str : "<unknown>");
+               krb5_free_error_message(context, err_str);
+
+               goto done;
+       }
+
         if (!is_tgs) {
                 server_restrictions_present = authn_policy_restrictions_present(
                                                         server->server_policy);
@@ -2774,26 +2794,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                 }
         }
  
-       /*
-        * If we are creating a TGT, resource groups from our domain are not to
-        * be put into the PAC. Instead, we take the resource groups directly
-        * from the original PAC and copy them unmodified into the new one.
-        */
-       code = samba_kdc_get_user_info_dc(tmp_ctx,
-                                         context,
-                                         kdc_db_ctx,
-                                         client,
-                                         &user_info_dc_const,
-                                         is_tgs ? &_resource_groups : NULL);
-       if (code != 0) {
-               const char *err_str = krb5_get_error_message(context, code);
-               DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
-                       err_str != NULL ? err_str : "<unknown>");
-               krb5_free_error_message(context, err_str);
-
-               goto done;
-       }
-
         /*
          * Enforce the AllowedToAuthenticateTo part of an authentication policy,
          * if one is present.
author	Stefan Metzmacher <metze@samba.org>
	Tue, 18 Feb 2025 16:00:01 +0000 (17:00 +0100)
committer	Ralph Boehme <slow@samba.org>
	Sat, 22 Feb 2025 22:06:39 +0000 (22:06 +0000)