From a2d96f5e29149dd3951e3a19ec52cc070ccc069a Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 9 Oct 2023 18:20:53 +1300 Subject: [PATCH] s4:kdc: Always regard device info when checking a server authentication policy Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224 --- selftest/knownfail_heimdal_kdc | 3 --- source4/kdc/pac-glue.c | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 404e660124e..2ef041b6a29 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -83,7 +83,6 @@ # # Conditional ACE tests # -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_device_equals\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_A_is_less_than__\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__apple_banana_apple_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal_foo\(ad_dc\) @@ -159,8 +158,6 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_invalid_no_attrs\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_present\(ad_dc\) # # Conditional ACE device restrictions # diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index c376f15b039..124f2e35003 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1755,7 +1755,7 @@ krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx, device_info, auth_claims, server_policy, - (struct authn_policy_flags) {}, + (struct authn_policy_flags) { .force_compounded_authentication = true }, server_audit_info_out); if (!NT_STATUS_IS_OK(status)) { if (status_out != NULL) {