From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 3 Oct 2023 21:35:14 +0000 (+1300)
Subject: s4:kdc: Pass resource groups parameter only if we are creating a TGT
X-Git-Tag: tevent-0.16.0~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30cfa9b79aca7ca985818f1d4ae0e7b019f3d6b3;p=thirdparty%2Fsamba.git

s4:kdc: Pass resource groups parameter only if we are creating a TGT

No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index b8b54d3f29a..9a0d4ac33d3 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2557,13 +2557,18 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	/*
+	 * If we are creating a TGT, resource groups from our domain are not to
+	 * be put into the PAC. Instead, we take the resource groups directly
+	 * from the original PAC and copy them unmodified into the new one.
+	 */
 	code = samba_kdc_obtain_user_info_dc(tmp_ctx,
 					     context,
 					     samdb,
-					     group_inclusion,
+					     AUTH_EXCLUDE_RESOURCE_GROUPS,
 					     client,
 					     &user_info_dc,
-					     &_resource_groups);
+					     is_tgs ? &_resource_groups : NULL);
 	if (code != 0) {
 		const char *err_str = krb5_get_error_message(context, code);
 		DBG_ERR("samba_kdc_obtain_user_info_dc failed: %s\n",