diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 55fc8697a35..01fcb132458 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -58,7 +58,6 @@ ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc -^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$ # # Authentication policy tests # diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 59492766a47..21e8acf6e00 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2178,15 +2178,14 @@ static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx, static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, - struct samba_kdc_entry *device, + const struct samba_kdc_entry_pac device, DATA_BLOB **device_info_blob) { TALLOC_CTX *frame = NULL; krb5_error_code code = EINVAL; NTSTATUS nt_status; - const struct auth_user_info_dc *device_info_dc_const = NULL; - struct auth_user_info_dc *device_info_dc_shallow_copy = NULL; + const struct auth_user_info_dc *device_info = NULL; struct netr_SamInfo3 *info3 = NULL; struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL; @@ -2194,14 +2193,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, frame = talloc_stackframe(); - code = samba_kdc_get_user_info_from_db(frame, - samdb, - device, - device->msg, - &device_info_dc_const); + code = samba_kdc_get_user_info_dc(frame, + context, + samdb, + device, + &device_info, + NULL /* resource_groups_out */); if (code) { const char *krb5_err = krb5_get_error_message(context, code); - DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n", + DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", krb5_err != NULL ? krb5_err : ""); krb5_free_error_message(context, krb5_err); @@ -2209,37 +2209,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, return KRB5KDC_ERR_TGT_REVOKED; } - /* Make a shallow copy of the user_info_dc structure. */ - nt_status = authsam_shallow_copy_user_info_dc(frame, - device_info_dc_const, - &device_info_dc_shallow_copy); - device_info_dc_const = NULL; - - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n", - nt_errstr(nt_status)); - talloc_free(frame); - return map_errno_from_nt_status(nt_status); - } - - nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, - device_info_dc_shallow_copy); - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to add asserted identity: %s\n", - nt_errstr(nt_status)); - talloc_free(frame); - return KRB5KDC_ERR_TGT_REVOKED; - } - - nt_status = samba_kdc_add_claims_valid(device_info_dc_shallow_copy); - if (!NT_STATUS_IS_OK(nt_status)) { - DBG_ERR("Failed to add Claims Valid: %s\n", - nt_errstr(nt_status)); - talloc_free(frame); - return KRB5KDC_ERR_TGT_REVOKED; - } - - nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc_shallow_copy, + nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info, AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED, &info3, &resource_groups); @@ -2586,7 +2556,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, code = samba_kdc_get_device_info_blob(tmp_ctx, context, samdb, - device.entry, + device, &device_info_blob); if (code != 0) { goto done;