From 96bdcf7ea9d06e4681af012974458d67d264cfda Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Nov 2010 09:33:05 +1100 Subject: [PATCH] s4-kdc Don't regenerate the PAC for cross-realm tickets We should never get a cross-realm ticket that was not issued by a full DC, but if someone claims to have such a thing, reject it rather than segfaulting on the NULL client pointer. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104 --- source4/kdc/wdc-samba4.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index a6487110f70..fb5816d33bf 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -84,6 +84,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, * RODC, then we need to regenerate the PAC - we can't trust * it */ if (samba_krbtgt_was_untrusted_rodc(krbtgt)) { + if (client == NULL) { + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); -- 2.34.1