s4:kdc: Always fetch resource groups

No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 9e19349af5a4f0cf4cbcd58fa7e927b3e08ebaab..544789a3a2f7e1bc39518c6d8647dde9c5284565 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1189,7 +1189,6 @@ static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
        TALLOC_CTX *frame = NULL;
        struct auth_user_info_dc *info = NULL;
        struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
-       struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_ptr = NULL;
        krb5_error_code ret = 0;
        NTSTATUS nt_status;
 
@@ -1215,16 +1214,6 @@ static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
 
        frame = talloc_stackframe();
 
-       if (resource_groups_out != NULL) {
-               /*
-                * Since we are creating a TGT, resource groups from our domain
-                * are not to be put into the PAC. Instead, we take the resource
-                * groups directly from the original PAC and copy them
-                * unmodified into the new one.
-                */
-               resource_groups_ptr = &resource_groups;
-       }
-
        ret = kerberos_pac_to_user_info_dc(frame,
                                           entry.pac,
                                           context,
@@ -1232,7 +1221,7 @@ static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
                                           AUTH_EXCLUDE_RESOURCE_GROUPS,
                                           NULL,
                                           NULL,
-                                          resource_groups_ptr);
+                                          &resource_groups);
        if (ret) {
                const char *krb5err = krb5_get_error_message(context, ret);
                DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",