From 3b936623a421a5a25f3fce717a6ca8652e7e0845 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 30 Oct 2023 13:40:37 +1300
Subject: [PATCH] =?utf8?q?s4:kdc:=20Add=20Claims=20Valid=20SID=20to=20info?=
 =?utf8?q?=20regenerated=20from=20RODC=E2=80=90issued=20PACs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail_heimdal_kdc | 6 ------
 source4/kdc/pac-glue.c         | 8 ++++++++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 92eba18901f..b5161fd915a 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -63,7 +63,6 @@
 #
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
-^samba\.tests\.krb5\.authn_policy_tests\.samba\.tests\.krb5\.authn_policy_tests\.AuthnPolicyTests\.test_authn_policy_allowed_to_computer_allow_claims_valid_from_rodc\(ad_dc\)$
 #
 # This test fails; but that is acceptable, for we have an alternative test
 # (test_authn_policy_protected_flags_with_policy_error) that expects to receive
@@ -132,14 +131,9 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_claims_valid_missing_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_compound_authentication_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 25d1126f5c4..0e1be2629eb 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1332,6 +1332,14 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 		return KRB5KDC_ERR_TGT_REVOKED;
 	}
 
+	nt_status = samba_kdc_add_claims_valid(info_shallow_copy);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Claims Valid: %s\n",
+			nt_errstr(nt_status));
+		TALLOC_FREE(info_shallow_copy);
+		return KRB5KDC_ERR_TGT_REVOKED;
+	}
+
 	*info_out = info_shallow_copy;
 
 	return 0;
-- 
2.47.3