From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Mar 2025 23:13:20 +0000 (+0100)
Subject: s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry
X-Git-Tag: tevent-0.17.0~393
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=18a28c15c462df3a6e745c8b69371b4e1f434671;p=thirdparty%2Fsamba.git

s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index 6fd52ef3985..43764557e46 100644
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -71,19 +71,30 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
 {
 	const hdb_entry *device = kdc_request_get_armor_client(r);
 	struct samba_kdc_entry *device_skdc_entry = NULL;
-	const hdb_entry *device_krbtgt = NULL;
+	const hdb_entry *device_krbtgt = kdc_request_get_armor_server(r);
 	const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
 	const krb5_const_pac device_pac = kdc_request_get_armor_pac(r);
 
+	if (device_pac == NULL) {
+		return samba_kdc_entry_pac(NULL, NULL, NULL);
+	}
+
+	/*
+	 * If we have a armor_pac we also have armor_server,
+	 * otherwise we can't decrypt the ticket and get to
+	 * the pac.
+	 */
+	device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
+							 struct samba_kdc_entry);
+
+	/*
+	 * The armor ticket might be from a different
+	 * domain, so we may not have a local db entry
+	 * for the device.
+	 */
 	if (device != NULL) {
 		device_skdc_entry = talloc_get_type_abort(device->context,
 							  struct samba_kdc_entry);
-
-		device_krbtgt = kdc_request_get_armor_server(r);
-		if (device_krbtgt != NULL) {
-			device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
-									 struct samba_kdc_entry);
-		}
 	}
 
 	return samba_kdc_entry_pac(device_pac,