From e446e5816bdaa3a9ef9d7d78e4b09728c740615f Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 20 Mar 2023 16:58:47 +1300
Subject: [PATCH] s4:kdc: Add support for AD client claims

We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail.d/tokengroups-claims-valid |   4 -
 selftest/knownfail_heimdal_kdc                |  94 ------------
 selftest/knownfail_mit_kdc                    |  90 ------------
 selftest/knownfail_mit_kdc_1_20               |  42 ++++++
 selftest/knownfail_mit_kdc_pre_1_20           |   5 +
 source4/kdc/db-glue.c                         |   2 +
 source4/kdc/mit_samba.c                       |  15 +-
 source4/kdc/pac-glue.c                        | 136 +++++++++++++++++-
 source4/kdc/pac-glue.h                        |  13 ++
 source4/kdc/wdc-samba4.c                      |   6 +-
 source4/kdc/wscript_build                     |   2 +-
 source4/selftest/tests.py                     |   2 +-
 source4/torture/rpc/remote_pac.c              |  54 +++++--
 13 files changed, 259 insertions(+), 206 deletions(-)
 delete mode 100644 selftest/knownfail.d/tokengroups-claims-valid

diff --git a/selftest/knownfail.d/tokengroups-claims-valid b/selftest/knownfail.d/tokengroups-claims-valid
deleted file mode 100644
index 23cefc93fdf..00000000000
--- a/selftest/knownfail.d/tokengroups-claims-valid
+++ /dev/null
@@ -1,4 +0,0 @@
-^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_pac_groups.ad_dc_default:local
-^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local
-^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_pac_groups.ad_dc_default:local
-^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 53bec3f17fd..fea48c36e89 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -59,107 +59,13 @@
 #
 # Claims tests
 #
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_modify.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_remove_claims_delete.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_remove_claims_modify.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_delete.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
 #
 # Group tests
 #
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 3ce97bf3f2f..213903fb530 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -463,92 +463,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # Claims tests
 #
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
@@ -560,10 +474,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_modify.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_delete.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_device_claims_remove_claims_modify.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
-^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
 #
 # Lockout tests
 #
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index 8ffc22a6198..4338f636f76 100644
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -10,7 +10,49 @@
 #
 # Claims tests
 #
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_large_compressed_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_string_syntax_duplicate_claim_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
 #
 # Group tests
 #
diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
index 358c3c20e8e..34de046b646 100644
--- a/selftest/knownfail_mit_kdc_pre_1_20
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -196,3 +196,8 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\(
+#
+# Claims tests
+#
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 55286f04c85..4cc566e698d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1449,6 +1449,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 			supported_enctypes |= ENC_FAST_SUPPORTED;
 		}
 
+		supported_enctypes |= ENC_CLAIMS_SUPPORTED;
+
 		/*
 		 * Resource SID compression is enabled implicitly, unless
 		 * disabled in msDS-SupportedEncryptionTypes.
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 29e2c57ea13..a1615063258 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -473,6 +473,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 	DATA_BLOB *pcred_blob = NULL;
 	DATA_BLOB *pac_attrs_blob = NULL;
 	DATA_BLOB *requester_sid_blob = NULL;
+	DATA_BLOB *client_claims_blob = NULL;
 	NTSTATUS nt_status;
 	krb5_error_code code;
 	struct samba_kdc_entry *skdc_entry;
@@ -484,6 +485,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
 			SAMBA_ASSERTED_IDENTITY_SERVICE :
 			SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
+	const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_INCLUDE;
+	const enum samba_compounded_auth compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
 
 	skdc_entry = talloc_get_type_abort(client->e_data,
 					   struct samba_kdc_entry);
@@ -515,6 +518,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 	nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
 					       skdc_entry,
 					       asserted_identity,
+					       claims_valid,
+					       compounded_auth,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
@@ -570,6 +575,14 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		}
 	}
 
+	nt_status = samba_kdc_get_claims_blob(tmp_ctx,
+					      skdc_entry,
+					      &client_claims_blob);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return EINVAL;
+	}
+
 	if (replaced_reply_key != NULL && cred_ndr != NULL) {
 		code = samba_kdc_encrypt_pac_credentials(context,
 							 replaced_reply_key,
@@ -590,7 +603,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 				   pac_attrs_blob,
 				   requester_sid_blob,
 				   NULL, /* deleg_blob */
-				   NULL, /* client_claims_blob */
+				   client_claims_blob,
 				   NULL, /* device_info_blob */
 				   NULL, /* device_claims_blob */
 				   *pac);
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 04d998a1e30..3c0a9f1199b 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -40,6 +40,7 @@
 #include "source4/dsdb/samdb/samdb.h"
 #include "source4/kdc/samba_kdc.h"
 #include "source4/kdc/pac-glue.h"
+#include "source4/kdc/ad_claims.h"
 
 #include <ldb.h>
 
@@ -131,6 +132,7 @@ static krb5_error_code pac_blobs_from_krb5_pac(struct pac_blobs *pac_blobs,
 		case PAC_TYPE_LOGON_NAME:
 		case PAC_TYPE_CONSTRAINED_DELEGATION:
 		case PAC_TYPE_UPN_DNS_INFO:
+		case PAC_TYPE_CLIENT_CLAIMS_INFO:
 		case PAC_TYPE_TICKET_CHECKSUM:
 		case PAC_TYPE_ATTRIBUTES_INFO:
 		case PAC_TYPE_REQUESTER_SID:
@@ -488,6 +490,30 @@ NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+static
+NTSTATUS samba_get_claims_blob(TALLOC_CTX *mem_ctx,
+			       struct ldb_context *samdb,
+			       struct ldb_dn *principal_dn,
+			       DATA_BLOB *client_claims_data)
+{
+	union PAC_INFO client_claims;
+	int ret;
+
+	ZERO_STRUCT(client_claims);
+
+	*client_claims_data = data_blob_null;
+
+	ret = get_claims_for_principal(samdb,
+				       mem_ctx,
+				       principal_dn,
+				       client_claims_data);
+	if (ret != LDB_SUCCESS) {
+		return dsdb_ldb_err_to_ntstatus(ret);
+	}
+
+	return NT_STATUS_OK;
+}
+
 static
 NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
 				      const struct ldb_message *msg,
@@ -1116,6 +1142,60 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
 		num_sids);
 }
 
+static NTSTATUS samba_add_claims_valid(TALLOC_CTX *mem_ctx,
+				       enum samba_claims_valid claims_valid,
+				       struct auth_user_info_dc *user_info_dc)
+{
+	switch (claims_valid) {
+	case SAMBA_CLAIMS_VALID_EXCLUDE:
+		return NT_STATUS_OK;
+	case SAMBA_CLAIMS_VALID_INCLUDE:
+	{
+		struct dom_sid claims_valid_sid;
+
+		if (!dom_sid_parse(SID_CLAIMS_VALID, &claims_valid_sid)) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		return add_sid_to_array_attrs_unique(
+			mem_ctx,
+			&claims_valid_sid,
+			SE_GROUP_DEFAULT_FLAGS,
+			&user_info_dc->sids,
+			&user_info_dc->num_sids);
+	}
+	}
+
+	return NT_STATUS_INVALID_PARAMETER;
+}
+
+static NTSTATUS samba_add_compounded_auth(TALLOC_CTX *mem_ctx,
+					  enum samba_compounded_auth compounded_auth,
+					  struct auth_user_info_dc *user_info_dc)
+{
+	switch (compounded_auth) {
+	case SAMBA_COMPOUNDED_AUTH_EXCLUDE:
+		return NT_STATUS_OK;
+	case SAMBA_COMPOUNDED_AUTH_INCLUDE:
+	{
+		struct dom_sid compounded_auth_sid;
+
+		if (!dom_sid_parse(SID_COMPOUNDED_AUTHENTICATION, &compounded_auth_sid)) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		return add_sid_to_array_attrs_unique(
+			mem_ctx,
+			&compounded_auth_sid,
+			SE_GROUP_DEFAULT_FLAGS,
+			&user_info_dc->sids,
+			&user_info_dc->num_sids);
+	}
+	}
+
+	return NT_STATUS_INVALID_PARAMETER;
+}
+
 /*
  * Look up the user's info in the database and create a auth_user_info_dc
  * structure. If the resulting structure is not talloc_free()d, it will be
@@ -1304,22 +1384,27 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
 				   DATA_BLOB **_claims_blob)
 {
 	DATA_BLOB *claims_blob = NULL;
+	NTSTATUS nt_status;
 
 	SMB_ASSERT(_claims_blob != NULL);
 
 	*_claims_blob = NULL;
 
-	/*
-	 * Until we support claims we just
-	 * return an empty blob,
-	 * that matches what Windows is doing
-	 * without defined claims
-	 */
 	claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
 	if (claims_blob == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	nt_status = samba_get_claims_blob(mem_ctx,
+					  p->kdc_db_ctx->samdb,
+					  p->msg->dn,
+					  claims_blob);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Building claims failed: %s\n",
+			nt_errstr(nt_status));
+		return nt_status;
+	}
+
 	*_claims_blob = claims_blob;
 
 	return NT_STATUS_OK;
@@ -1328,6 +1413,8 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
 NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 				    struct samba_kdc_entry *skdc_entry,
 				    enum samba_asserted_identity asserted_identity,
+				    enum samba_claims_valid claims_valid,
+				    enum samba_compounded_auth compounded_auth,
 				    struct auth_user_info_dc *user_info_dc_out)
 {
 	NTSTATUS nt_status;
@@ -1370,6 +1457,22 @@ NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
+	nt_status = samba_add_claims_valid(mem_ctx,
+					   claims_valid,
+					   user_info_dc_out);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Claims Valid!\n");
+		return nt_status;
+	}
+
+	nt_status = samba_add_compounded_auth(mem_ctx,
+					      compounded_auth,
+					      user_info_dc_out);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Compounded Authentication!\n");
+		return nt_status;
+	}
+
 	return NT_STATUS_OK;
 }
 
@@ -1377,6 +1480,7 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 				   krb5_context context,
 				   struct ldb_context *samdb,
 				   const enum auth_group_inclusion group_inclusion,
+				   const enum samba_compounded_auth compounded_auth,
 				   const krb5_const_pac pac, DATA_BLOB *pac_blob,
 				   struct PAC_SIGNATURE_DATA *pac_srv_sig,
 				   struct PAC_SIGNATURE_DATA *pac_kdc_sig)
@@ -1421,6 +1525,14 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
+	nt_status = samba_add_compounded_auth(mem_ctx,
+					      compounded_auth,
+					      user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Compounded Authentication!\n");
+		return nt_status;
+	}
+
 	nt_status = samba_get_logon_info_pac_blob(mem_ctx,
 						  user_info_dc,
 						  _resource_groups,
@@ -2094,6 +2206,11 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		 */
 		enum samba_asserted_identity asserted_identity =
 			SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
+		const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_EXCLUDE;
+		const enum samba_compounded_auth compounded_auth =
+			(device != NULL && !is_tgs) ?
+			SAMBA_COMPOUNDED_AUTH_INCLUDE :
+			SAMBA_COMPOUNDED_AUTH_EXCLUDE;
 
 		if (client == NULL) {
 			code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -2103,6 +2220,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		nt_status = samba_kdc_get_user_info_dc(mem_ctx,
 						       client,
 						       asserted_identity,
+						       claims_valid,
+						       compounded_auth,
 						       &user_info_dc);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2153,6 +2272,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 	} else {
+		const enum samba_compounded_auth compounded_auth =
+			(device != NULL && !is_tgs) ?
+			SAMBA_COMPOUNDED_AUTH_INCLUDE :
+			SAMBA_COMPOUNDED_AUTH_EXCLUDE;
 		pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
 		if (pac_blob == NULL) {
 			code = ENOMEM;
@@ -2163,6 +2286,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 						      context,
 						      samdb,
 						      group_inclusion,
+						      compounded_auth,
 						      old_pac,
 						      pac_blob,
 						      NULL,
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 0ba27a8e8e1..af3a03111da 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -29,6 +29,16 @@ enum samba_asserted_identity {
 	SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
 };
 
+enum samba_claims_valid {
+	SAMBA_CLAIMS_VALID_EXCLUDE = 0,
+	SAMBA_CLAIMS_VALID_INCLUDE,
+};
+
+enum samba_compounded_auth {
+	SAMBA_COMPOUNDED_AUTH_EXCLUDE = 0,
+	SAMBA_COMPOUNDED_AUTH_INCLUDE,
+};
+
 enum {
 	SAMBA_KDC_FLAG_PROTOCOL_TRANSITION    = 0x00000001,
 	SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
@@ -75,6 +85,7 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 				   krb5_context context,
 				   struct ldb_context *samdb,
 				   enum auth_group_inclusion group_inclusion,
+				   enum samba_compounded_auth compounded_auth,
 				   const krb5_const_pac pac, DATA_BLOB *pac_blob,
 				   struct PAC_SIGNATURE_DATA *pac_srv_sig,
 				   struct PAC_SIGNATURE_DATA *pac_kdc_sig);
@@ -82,6 +93,8 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
 				    struct samba_kdc_entry *skdc_entry,
 				    enum samba_asserted_identity asserted_identity,
+				    enum samba_claims_valid claims_valid,
+				    enum samba_compounded_auth compounded_auth,
 				    struct auth_user_info_dc *_user_info_dc);
 
 NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 167393bbaec..c5bd3760e4f 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -122,6 +122,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 		(is_s4u2self) ?
 			SAMBA_ASSERTED_IDENTITY_SERVICE :
 			SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
+	const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_INCLUDE;
+	const enum samba_compounded_auth compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
 
 	struct auth_user_info_dc user_info_dc = {};
 
@@ -146,6 +148,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 	nt_status = samba_kdc_get_user_info_dc(mem_ctx,
 					       skdc_entry,
 					       asserted_identity,
+					       claims_valid,
+					       compounded_auth,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
@@ -227,7 +231,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 	ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
 				  upn_blob, pac_attrs_blob,
 				  requester_sid_blob, NULL,
-				  NULL, NULL, NULL,
+				  client_claims_blob, NULL, NULL,
 				  *pac);
 
 	talloc_free(mem_ctx);
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index f5f4887420e..c6c00c4c369 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -123,7 +123,7 @@ bld.SAMBA_SUBSYSTEM('sdb_kdb',
 
 bld.SAMBA_SUBSYSTEM('PAC_GLUE',
 	source='pac-glue.c',
-	deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err'
+	deps='ldb auth4_sam common_auth samba-credentials samba-hostconfig com_err ad_claims'
 	)
 
 bld.SAMBA_LIBRARY('pac',
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index c11347f4f79..da14b377305 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1004,7 +1004,7 @@ for env in ['fileserver_smb1', 'nt4_member', 'clusteredmember', 'ktest', 'nt4_dc
     planoldpythontestsuite(env, "samba.tests.imports")
 
 have_fast_support = 1
-claims_support = 0
+claims_support = 1
 compound_id_support = 0
 if ('SAMBA4_USES_HEIMDAL' in config_hash or
     'HAVE_MIT_KRB5_1_20' in config_hash):
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index f71c5a8087f..edf98a27d11 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -313,7 +313,7 @@ static bool test_PACVerify(struct torture_context *tctx,
 				       (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
 	torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
 
-	num_pac_buffers = 6;
+	num_pac_buffers = 7;
 	if (expect_pac_upn_dns_info) {
 		num_pac_buffers += 1;
 	}
@@ -749,10 +749,14 @@ static bool test_S4U2Self(struct torture_context *tctx,
 
 	struct dom_sid *ai_auth_authority = NULL;
 	struct dom_sid *ai_service = NULL;
+	struct dom_sid *ai_claims_valid = NULL;
 	size_t ai_auth_authority_count = 0;
 	size_t ai_service_count = 0;
+	size_t ai_claims_valid_count = 0;
 	size_t kinit_asserted_identity_index = 0;
+	size_t kinit_claims_valid_index = 0;
 	size_t s4u2self_asserted_identity_index = 0;
+	size_t s4u2self_claims_valid_index = 0;
 	bool ok;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(tctx);
@@ -1000,8 +1004,15 @@ static bool test_S4U2Self(struct torture_context *tctx,
 			SID_SERVICE_ASSERTED_IDENTITY);
 	torture_assert_not_null(tctx, ai_service, "failed to parse SID");
 
+	/* ...and the Claims Valid SID. */
+	ai_claims_valid = dom_sid_parse_talloc(
+			tmp_ctx,
+			SID_CLAIMS_VALID);
+	torture_assert_not_null(tctx, ai_claims_valid, "failed to parse SID");
+
 	ai_auth_authority_count = 0;
 	ai_service_count = 0;
+	ai_claims_valid_count = 0;
 	for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
 		ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
 				   ai_auth_authority);
@@ -1016,15 +1027,25 @@ static bool test_S4U2Self(struct torture_context *tctx,
 			ai_service_count++;
 			kinit_asserted_identity_index = i;
 		}
+
+		ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
+				   ai_claims_valid);
+		if (ok) {
+			ai_claims_valid_count++;
+			kinit_claims_valid_index = i;
+		}
 	}
 
 	torture_assert_int_equal(tctx, ai_auth_authority_count, 1,
 		"Kinit authority asserted identity should be (1)");
 	torture_assert_int_equal(tctx, ai_service_count, 0,
 		"Kinit service asserted identity should be (0)");
+	torture_assert_int_equal(tctx, ai_claims_valid_count, 1,
+		"Kinit Claims Valid should be (1)");
 
 	ai_auth_authority_count = 0;
 	ai_service_count = 0;
+	ai_claims_valid_count = 0;
 	for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) {
 		ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
 				   ai_auth_authority);
@@ -1039,24 +1060,37 @@ static bool test_S4U2Self(struct torture_context *tctx,
 			ai_service_count++;
 			s4u2self_asserted_identity_index = i;
 		}
+
+		ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
+				   ai_claims_valid);
+		if (ok) {
+			ai_claims_valid_count++;
+			s4u2self_claims_valid_index = i;
+		}
 	}
 
 	torture_assert_int_equal(tctx, ai_auth_authority_count, 0,
 		"S4U2Self authority asserted identity should be (0)");
 	torture_assert_int_equal(tctx, ai_service_count, 1,
 		"S4U2Self service asserted identity should be (1)");
+	torture_assert_int_equal(tctx, ai_claims_valid_count, 1,
+		"S4U2Self Claims Valid should be (1)");
 
-	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for kinit-based PAC");
-	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for S4U2Self");
+	/*
+	 * Subtract 2 to account for the Asserted Identity and Claims Valid
+	 * SIDs.
+	 */
+	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 2, "Different numbers of domain groups for kinit-based PAC");
+	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 2, "Different numbers of domain groups for S4U2Self");
 
 	/* Loop over all three SID arrays. */
 	for (i = 0, j = 0, k = 0; i < netlogon_user_info_dc->num_sids; i++, j++, k++) {
-		if (j == kinit_asserted_identity_index) {
-			/* Skip over the asserted identity SID. */
+		while (j == kinit_asserted_identity_index || j == kinit_claims_valid_index) {
+			/* Skip over the asserted identity and Claims Valid SIDs. */
 			++j;
 		}
-		if (k == s4u2self_asserted_identity_index) {
-			/* Skip over the asserted identity SID. */
+		while (k == s4u2self_asserted_identity_index || k == s4u2self_claims_valid_index) {
+			/* Skip over the asserted identity and Claims Valid SIDs. */
 			++k;
 		}
 		torture_assert_sid_equal(tctx, &netlogon_user_info_dc->sids[i].sid, &kinit_session_info->torture->dc_sids[j].sid, "Different domain groups for kinit-based PAC");
@@ -1212,7 +1246,7 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
 				       (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
 	torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed");
 
-	num_pac_buffers = 8;
+	num_pac_buffers = 9;
 
 	torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version");
 	torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers");
@@ -1245,6 +1279,10 @@ static bool test_S4U2Proxy(struct torture_context *tctx,
 	torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_FULL_CHECKSUM");
 	torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_FULL_CHECKSUM info");
 
+	pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CLIENT_CLAIMS_INFO);
+	torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CLIENT_CLAIMS_INFO");
+	torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CLIENT_CLAIMS_INFO info");
+
 	pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_CONSTRAINED_DELEGATION);
 	torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_CONSTRAINED_DELEGATION");
 	torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_CONSTRAINED_DELEGATION info");