s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation

author Joseph Sutton <josephsutton@catalyst.net.nz>

Tue, 10 Oct 2023 02:16:24 +0000 (15:16 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Tue, 10 Oct 2023 02:16:24 +0000 (15:16 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index ef1436234812b4407779fec99576db215faa4e28..a3904a4d75d11d4ad453ef53f86cf979e41ea8d2 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -840,6 +840,12 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
                 return ENOMEM;
         }
  
+       /*
+        * FIXME: If ever we support RODCs, we must check that the PAC has not
+        * been issued by an RODC (other than ourselves) — otherwise the PAC
+        * cannot be trusted. Because the plugin interface does not give us the
+        * client entry, we cannot look up its groups in the database.
+        */
         code = kerberos_pac_to_user_info_dc(mem_ctx,
                                             header_pac,
                                             ctx->context,
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Tue, 10 Oct 2023 02:16:24 +0000 (15:16 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)