s4:kdc: Remove device PAC validation

In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 861a6c2efe0354b6da0d440bf77a8f78d47f3fb2..5dab57c4e8aeabcaaf8c6534e65edbe2c51b5760 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2125,21 +2125,6 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
                }
        }
 
-       if (device != NULL) {
-               SMB_ASSERT(*device_pac != NULL);
-
-               /*
-                * Check the objectSID of the device and pac data are the same.
-                * Does a parse and SID check, but no crypto.
-                */
-               code = samba_kdc_validate_pac_blob(context,
-                                                  device,
-                                                  *device_pac);
-               if (code != 0) {
-                       goto done;
-               }
-       }
-
        if (!is_trusted) {
                const struct auth_user_info_dc *user_info_dc = NULL;
                WERROR werr;