This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
DATA_BLOB *deleg_blob = NULL;
struct samba_kdc_entry *client_skdc_entry = NULL;
struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
+ struct samba_kdc_entry *server_skdc_entry = NULL;
bool is_in_db = false;
bool is_untrusted = false;
size_t num_types = 0;
ssize_t srv_checksum_idx = -1;
ssize_t kdc_checksum_idx = -1;
krb5_pac new_pac = NULL;
+ bool ok;
if (client != NULL) {
client_skdc_entry =
return EINVAL;
}
+ server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ /* The account may be set not to want the PAC */
+ ok = samba_princ_needs_pac(server_skdc_entry);
+ if (!ok) {
+ return EINVAL;
+ }
+
if (krbtgt == NULL) {
return EINVAL;
}