s4:kdc: make sure we expand group memberships of the local domain

author Stefan Metzmacher <metze@samba.org>

Thu, 1 Feb 2018 17:40:58 +0000 (18:40 +0100)

committer Andreas Schneider <asn@cryptomilk.org>

Mon, 19 Mar 2018 19:30:52 +0000 (20:30 +0100)
author Stefan Metzmacher <metze@samba.org>
Thu, 1 Feb 2018 17:40:58 +0000 (18:40 +0100)
committer Andreas Schneider <asn@cryptomilk.org>
Mon, 19 Mar 2018 19:30:52 +0000 (20:30 +0100)
diff --git a/selftest/knownfail.d/expand_trust_token b/selftest/knownfail.d/expand_trust_token

deleted file mode 100644 (file)

index c0d44d7..0000000
--- a/selftest/knownfail.d/expand_trust_token
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.trust_token.Test.token.with.kerberos
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 9b5f30917a6ae5da518b619d6cf686060ae842e9..126001cb7186e806414002ae10c57807a53fc168 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -763,6 +763,17 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
                 return NT_STATUS_UNSUCCESSFUL;
         }
  
+       /*
+        * We need to expand group memberships within our local domain,
+        * as the token might be generated by a trusted domain.
+        */
+       nt_status = authsam_update_user_info_dc(mem_ctx,
+                                               krbtgt->kdc_db_ctx->samdb,
+                                               user_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
+       }
+
         nt_status = samba_get_logon_info_pac_blob(mem_ctx, 
                                                   user_info_dc, pac_blob);
author	Stefan Metzmacher <metze@samba.org>
	Thu, 1 Feb 2018 17:40:58 +0000 (18:40 +0100)
committer	Andreas Schneider <asn@cryptomilk.org>
	Mon, 19 Mar 2018 19:30:52 +0000 (20:30 +0100)
selftest/knownfail.d/expand_trust_token	[deleted file]	patch \| blob \| history
source4/kdc/pac-glue.c		patch \| blob \| history