From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 19 Feb 2025 16:25:51 +0000 (+0100)
Subject: s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_logon_info_blob()
X-Git-Tag: tevent-0.17.0~642
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1a0609da252bb483776ed060f536b9f8950c799;p=thirdparty%2Fsamba.git

s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_logon_info_blob()

The logic in samba_kdc_get_logon_info_blob() also does
talloc_zero(tmp_ctx, DATA_BLOB) followed by calling
samba_get_logon_info_pac_blob().

So we can always just call samba_kdc_get_logon_info_blob().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index b4dd4a216e6..628b1d891aa 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2855,38 +2855,19 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		user_info_dc_const = user_info_dc_shallow_copy;
 	}
 
-	if (samba_krb5_pac_is_trusted(client)) {
-		pac_blob = talloc_zero(tmp_ctx, DATA_BLOB);
-		if (pac_blob == NULL) {
-			code = ENOMEM;
-			goto done;
-		}
-
-		nt_status = samba_get_logon_info_pac_blob(tmp_ctx,
-							  user_info_dc_const,
-							  _resource_groups,
-							  group_inclusion,
-							  pac_blob);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("samba_get_logon_info_pac_blob failed: %s\n",
-				nt_errstr(nt_status));
-
-			code = map_errno_from_nt_status(nt_status);
-			goto done;
-		}
-	} else {
-		nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
-							  user_info_dc_const,
-							  _resource_groups,
-							  group_inclusion,
-							  &pac_blob);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("samba_kdc_get_logon_info_blob failed: %s\n",
-				nt_errstr(nt_status));
-			code = KRB5KDC_ERR_TGT_REVOKED;
-			goto done;
-		}
+	nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
+						  user_info_dc_const,
+						  _resource_groups,
+						  group_inclusion,
+						  &pac_blob);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("samba_kdc_get_logon_info_blob failed: %s\n",
+			nt_errstr(nt_status));
+		code = KRB5KDC_ERR_TGT_REVOKED;
+		goto done;
+	}
 
+	if (samba_krb5_pac_is_trusted(client)) {
 		nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
 							user_info_dc_const,
 							&upn_blob);