From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 5 Oct 2023 03:07:55 +0000 (+1300)
Subject: s4:kdc: Create the Requester SID blob only if we actually need it
X-Git-Tag: tevent-0.16.0~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6228267cba64121d14747700b785cc4aa041b810;p=thirdparty%2Fsamba.git

s4:kdc: Create the Requester SID blob only if we actually need it

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index d41ec9cd9eb..2e2f91ff9b5 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2719,14 +2719,16 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
-							     user_info_dc_shallow_copy,
-							     &requester_sid_blob);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
-				nt_errstr(nt_status));
-			code = KRB5KDC_ERR_TGT_REVOKED;
-			goto done;
+		if (is_tgs) {
+			nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
+								     user_info_dc_shallow_copy,
+								     &requester_sid_blob);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
+					nt_errstr(nt_status));
+				code = KRB5KDC_ERR_TGT_REVOKED;
+				goto done;
+			}
 		}
 
 		/* Don't trust RODC-issued claims. Regenerate them. */
@@ -2824,13 +2826,13 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 	if (!is_tgs) {
 		pac_blobs_remove_blob(pac_blobs,
 				      PAC_TYPE_REQUESTER_SID);
-	} else {
-		code = pac_blobs_add_blob(pac_blobs,
-					  PAC_TYPE_REQUESTER_SID,
-					  requester_sid_blob);
-		if (code != 0) {
-			goto done;
-		}
+	}
+
+	code = pac_blobs_add_blob(pac_blobs,
+				  PAC_TYPE_REQUESTER_SID,
+				  requester_sid_blob);
+	if (code != 0) {
+		goto done;
 	}
 
 	/*