From: Stefan Metzmacher Date: Tue, 11 Mar 2025 11:09:43 +0000 (+0100) Subject: s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry X-Git-Tag: tevent-0.17.0~391 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0f12b05a83836c6c9bf33a9660cecdde589e0f0;p=thirdparty%2Fsamba.git s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry If we have a device_pac we also have device_server/krbtgt_entry, while device_entry is optional. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 71a54da5a65..01450148a1c 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -357,16 +357,26 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, client_skdc_entry, client_krbtgt_skdc_entry); - if (device != NULL) { + if (device_pac != NULL) { struct samba_kdc_entry *device_skdc_entry = NULL; const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; - device_skdc_entry = talloc_get_type_abort(device->context, - struct samba_kdc_entry); + /* + * If we have a armor_pac we also have armor_server, + * otherwise we can't decrypt the ticket and get to + * the pac. + */ + device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, + struct samba_kdc_entry); - if (device_krbtgt != NULL) { - device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, - struct samba_kdc_entry); + /* + * The armor ticket might be from a different + * domain, so we may not have a local db entry + * for the device. + */ + if (device != NULL) { + device_skdc_entry = talloc_get_type_abort(device->context, + struct samba_kdc_entry); } device_pac_entry = samba_kdc_entry_pac(device_pac,