From: Stefan Metzmacher Date: Tue, 18 Feb 2025 16:00:01 +0000 (+0100) Subject: s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac() X-Git-Tag: tevent-0.17.0~656 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fda646adbd6e67374dd98e12842c17c4a7fbd8b;p=thirdparty%2Fsamba.git s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac() This will make further changes easier. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 9accc97445f..7417b86c447 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2700,6 +2700,26 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED; } + /* + * If we are creating a TGT, resource groups from our domain are not to + * be put into the PAC. Instead, we take the resource groups directly + * from the original PAC and copy them unmodified into the new one. + */ + code = samba_kdc_get_user_info_dc(tmp_ctx, + context, + kdc_db_ctx, + client, + &user_info_dc_const, + is_tgs ? &_resource_groups : NULL); + if (code != 0) { + const char *err_str = krb5_get_error_message(context, code); + DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", + err_str != NULL ? err_str : ""); + krb5_free_error_message(context, err_str); + + goto done; + } + if (!is_tgs) { server_restrictions_present = authn_policy_restrictions_present( server->server_policy); @@ -2774,26 +2794,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, } } - /* - * If we are creating a TGT, resource groups from our domain are not to - * be put into the PAC. Instead, we take the resource groups directly - * from the original PAC and copy them unmodified into the new one. - */ - code = samba_kdc_get_user_info_dc(tmp_ctx, - context, - kdc_db_ctx, - client, - &user_info_dc_const, - is_tgs ? &_resource_groups : NULL); - if (code != 0) { - const char *err_str = krb5_get_error_message(context, code); - DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", - err_str != NULL ? err_str : ""); - krb5_free_error_message(context, err_str); - - goto done; - } - /* * Enforce the AllowedToAuthenticateTo part of an authentication policy, * if one is present.