From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 20 Oct 2025 00:03:31 +0000 (+1300)
Subject: s4:kdc always include the PAC
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c86bad059fc545ba0c90381ea3f3d0e0eaa325a2;p=thirdparty%2Fsamba.git

s4:kdc always include the PAC

Set the heimdal always_include_pac configuration flag, based on the samba
kdc always include pac option

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 13 23:12:55 UTC 2025 on atb-devel-224
---

diff --git a/selftest/knownfail.d/always-include-pac b/selftest/knownfail.d/always-include-pac
deleted file mode 100644
index 74f39dc8d0b..00000000000
--- a/selftest/knownfail.d/always-include-pac
+++ /dev/null
@@ -1,6 +0,0 @@
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_false.*ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac.*ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_request_false.*ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false.*ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_false.*ad_dc
-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_false
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 0eb849c4ce0..f05e9511d50 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -37,6 +37,9 @@
 #include "../lib/util/util_tdb.h"
 #include <krb5/send_to_kdc_plugin.h>
 #endif
+#ifdef USING_EMBEDDED_HEIMDAL
+#include <krb5_locl.h>
+#endif
 
 /*
   context structure for operations on cldap packets
@@ -816,6 +819,16 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
 	}
 	krb5_set_warn_dest(kctx, logf);
 #endif
+#ifdef USING_EMBEDDED_HEIMDAL
+	/*
+	 * The KRB5_CTX_F_ALWAYS_INCLUDE_PAC flag is a Samba extension to
+	 * Heimdal and is only available in the embedded heimdal
+	 */
+	if (lpcfg_kdc_always_include_pac(lp_ctx)) {
+		kctx->flags |= KRB5_CTX_F_ALWAYS_INCLUDE_PAC;
+	}
+#endif
+
 	talloc_steal(parent_ctx, *smb_krb5_context);
 	talloc_free(tmp_ctx);