s4:auth: Make returning resource groups the last thing we do

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index b4783e60b09ef6fc454dd8943247bc74980085a3..1d2ff1df059fb2fc074bc90469ac9d4f1e9ad181 100644 (file)
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -452,16 +452,6 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
                }
        }
 
-       /*
-        * If we have resource groups and the caller wants them returned, we
-        * oblige.
-        */
-       if (resource_groups != NULL &&
-           info.logon_info.info->resource_groups.groups.count != 0)
-       {
-               *resource_groups = &info.logon_info.info->resource_groups;
-       }
-
        /*
         * Based on the presence of a REQUESTER_SID PAC buffer, ascertain
         * whether the ticket is a TGT. This helps the KDC and kpasswd service
@@ -483,6 +473,16 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
                user_info_dc_out->ticket_type = TICKET_TYPE_TGT;
        }
 
+       /*
+        * If we have resource groups and the caller wants them returned, we
+        * oblige.
+        */
+       if (resource_groups != NULL &&
+           info.logon_info.info->resource_groups.groups.count != 0)
+       {
+               *resource_groups = &info.logon_info.info->resource_groups;
+       }
+
        *user_info_dc = user_info_dc_out;
 
        return 0;