mit-kdc: do we always include the PAC for AS requests?
Isaac Boukris
iboukris at gmail.com
Mon Sep 17 12:52:33 UTC 2018
Hi team,
I'm looking at this code in
'source4/kdc/mit-kdb/kdb_samba_policies.c', and was wondering why we
first check for KRB5_KDB_FLAG_INCLUDE_PAC in AS requests, but later we
just get the PAC anyway even if the flag is not set.
Or am I missing something? See code spinet below.
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
code = ks_get_pac(context, client, client_key, &pac);
if (code != 0) {
goto done;
}
}
if (!is_as_req) {
code = ks_verify_pac(context,
flags,
ks_client_princ,
client,
server,
krbtgt,
server_key,
krbtgt_key,
authtime,
tgt_auth_data,
&pac);
if (code != 0) {
goto done;
}
}
if (pac == NULL && client != NULL) {
code = ks_get_pac(context, client, client_key, &pac);
if (code != 0) {
goto done;
}
}
Thanks!
More information about the samba-technical
mailing list