1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Include default groups in security token

This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2023-06-20 16:50:18 +12:00 committed by Stefan Metzmacher
parent 34760dfc89
commit e936788712
2 changed files with 3 additions and 3 deletions

View File

@ -63,5 +63,3 @@
#
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd_to_self.ad_dc

View File

@ -3352,7 +3352,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
struct security_descriptor *rbcd_security_descriptor = NULL;
struct auth_user_info_dc *user_info_dc = NULL;
struct security_token *security_token = NULL;
uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
uint32_t session_info_flags =
AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
/*
* Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
* in security descriptors it creates for RBCD, its KDC only requires