From a99ce6c560e24c3c6a87bb0d75a573edfe3ee065 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 19 Feb 2025 17:28:42 +0100
Subject: [PATCH] s4:kdc: let samba_kdc_update_pac() always call
 samba_kdc_get_upn_info_blob()

There's no reason not to regenerate it, it makes the code more
consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source4/kdc/pac-glue.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 628b1d891aa..e19f2dd63aa 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2867,28 +2867,26 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	if (samba_krb5_pac_is_trusted(client)) {
-		nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
-							user_info_dc_const,
-							&upn_blob);
+	nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
+						user_info_dc_const,
+						&upn_blob);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("samba_kdc_get_upn_info_blob failed: %s\n",
+			nt_errstr(nt_status));
+		code = KRB5KDC_ERR_TGT_REVOKED;
+		goto done;
+	}
+
+	if (!samba_krb5_pac_is_trusted(client) && is_tgs) {
+		nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
+							     user_info_dc_const,
+							     &requester_sid_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("samba_kdc_get_upn_info_blob failed: %s\n",
+			DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
 				nt_errstr(nt_status));
 			code = KRB5KDC_ERR_TGT_REVOKED;
 			goto done;
 		}
-
-		if (is_tgs) {
-			nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
-								     user_info_dc_const,
-								     &requester_sid_blob);
-			if (!NT_STATUS_IS_OK(nt_status)) {
-				DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
-					nt_errstr(nt_status));
-				code = KRB5KDC_ERR_TGT_REVOKED;
-				goto done;
-			}
-		}
 	}
 
 	if (regenerate_client_claims) {