From e9367887123ce43c55a7ab436afe659900bdc532 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 20 Jun 2023 16:50:18 +1200 Subject: [PATCH] s4:kdc: Include default groups in security token This is consistent with the behaviour of the existing function _authn_policy_access_check() and of Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- selftest/knownfail_heimdal_kdc | 2 -- source4/kdc/db-glue.c | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 5ed4f1d7462..61b00aa0200 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -63,5 +63,3 @@ # ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd_to_self.ad_dc diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index b99abd18c73..c07c2dbc24a 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -3352,7 +3352,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( struct security_descriptor *rbcd_security_descriptor = NULL; struct auth_user_info_dc *user_info_dc = NULL; struct security_token *security_token = NULL; - uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + uint32_t session_info_flags = + AUTH_SESSION_INFO_DEFAULT_GROUPS | + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; /* * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access * in security descriptors it creates for RBCD, its KDC only requires