diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 9c86662ea04..986c2e9cc24 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -125,8 +125,6 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\) diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 1daf6d63f51..dc2fffad2e4 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -642,14 +642,6 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r, if (pac_kdc_signature_rodc_id != header_ticket_rodc_id) { struct sdb_entry signing_krbtgt_sdb; - /* - * If we didn't sign the ticket, then return an - * error. - */ - if (pac_kdc_signature_rodc_id != 0) { - return KRB5KRB_AP_ERR_MODIFIED; - } - /* * Fetch our key from the database. To support * key rollover, we're going to need to try @@ -659,8 +651,8 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r, ret = samba_kdc_fetch(context, krbtgt_skdc_entry->kdc_db_ctx, krbtgt->principal, - SDB_F_GET_KRBTGT | SDB_F_CANON, - 0, + SDB_F_GET_KRBTGT | SDB_F_RODC_NUMBER_SPECIFIED | SDB_F_CANON, + ((uint32_t)pac_kdc_signature_rodc_id) << 16, &signing_krbtgt_sdb); if (ret != 0) { return ret;