From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 7 Nov 2022 06:27:24 +0000 (+1300)
Subject: auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set
X-Git-Tag: talloc-2.4.1~1675
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d846db42db15465d47f2c5e285d3e958bdf5f98;p=thirdparty%2Fsamba.git

auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set

MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index b088ebb9a43..7632d263650 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -590,8 +590,6 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 	const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
 	size_t sidcount;
 
-	rg = &pac_logon_info->resource_groups;
-
 	validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3);
 
 	nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,