From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 28 Sep 2023 23:44:08 +0000 (+1300)
Subject: s4:kdc: Remove device PAC validation
X-Git-Tag: tevent-0.16.0~265
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3358b04a589df64cb44a76c9254bf31ff7f96b2f;p=thirdparty%2Fsamba.git

s4:kdc: Remove device PAC validation

In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 861a6c2efe0..5dab57c4e8a 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2125,21 +2125,6 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	if (device != NULL) {
-		SMB_ASSERT(*device_pac != NULL);
-
-		/*
-		 * Check the objectSID of the device and pac data are the same.
-		 * Does a parse and SID check, but no crypto.
-		 */
-		code = samba_kdc_validate_pac_blob(context,
-						   device,
-						   *device_pac);
-		if (code != 0) {
-			goto done;
-		}
-	}
-
 	if (!is_trusted) {
 		const struct auth_user_info_dc *user_info_dc = NULL;
 		WERROR werr;