From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 10 Oct 2023 02:16:24 +0000 (+1300)
Subject: s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation
X-Git-Tag: tevent-0.16.0~86
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c02e9ac62fc527c7af34214a7253631ae89de51;p=thirdparty%2Fsamba.git

s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index ef143623481..a3904a4d75d 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -840,6 +840,12 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
 		return ENOMEM;
 	}
 
+	/*
+	 * FIXME: If ever we support RODCs, we must check that the PAC has not
+	 * been issued by an RODC (other than ourselves) — otherwise the PAC
+	 * cannot be trusted. Because the plugin interface does not give us the
+	 * client entry, we cannot look up its groups in the database.
+	 */
 	code = kerberos_pac_to_user_info_dc(mem_ctx,
 					    header_pac,
 					    ctx->context,