The branch, master has been updated
via c86bad059fc s4:kdc always include the PAC
via b71282b05da s4:kdc:tests: support "kdc always generate pac"
via effb702270f s4:kdc:test add tgs tests to fl2008r2dc env
via 74e9c8f13d6 selftest:fl2008r2dc set "kdc always generate pac"" to no
via 87cdaf088de config: add kdc always include pac
via 63312ccbf74 third_party:heimdal: import
lorikeet-heimdal-202510192136
from 7e938f3d233 printing: Fix use of time_t CID#1509005
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c86bad059fc545ba0c90381ea3f3d0e0eaa325a2
Author: Gary Lockyer <[email protected]>
Date: Mon Oct 20 13:03:31 2025 +1300
s4:kdc always include the PAC
Set the heimdal always_include_pac configuration flag, based on the samba
kdc always include pac option
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Thu Nov 13 23:12:55 UTC 2025 on atb-devel-224
commit b71282b05daf413da02660119181c07c4d5bda28
Author: Gary Lockyer <[email protected]>
Date: Fri Oct 31 08:31:33 2025 +1300
s4:kdc:tests: support "kdc always generate pac"
Update the tests to check the "kdc always generate pac" configuration and
expect the presence of a PAC accordingly.
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit effb702270f6c66361dd7e16a029ab0f233ab5ad
Author: Gary Lockyer <[email protected]>
Date: Fri Oct 31 08:38:08 2025 +1300
s4:kdc:test add tgs tests to fl2008r2dc env
Add kdc_tgs tests to the fl2008r2dc test environment, to ensure that they
are
run with "kdc always generate pac" set to no
Note: This required updating known_fail_mit/kdc_tgs to handle the
expected failures for the fl2008r2dc environment when run against
the MIT kdc
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 74e9c8f13d69811c4f3c72faa2e60edde8935b49
Author: Gary Lockyer <[email protected]>
Date: Fri Oct 31 08:36:50 2025 +1300
selftest:fl2008r2dc set "kdc always generate pac"" to no
Set the new configuration option "kdc always generate pac" to "no" in the
fl2008r2dc test environment
This will ensure that kdc will be run with the option set to "no", the
default
is "yes".
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 87cdaf088debe9321e52a5dff6c5e7bd9882b76d
Author: Gary Lockyer <[email protected]>
Date: Mon Oct 20 13:01:14 2025 +1300
config: add kdc always include pac
This option over-rides the PA-PAC-REQUEST received from the client. When
enabled (the default) a PAC will always be included in the response.
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 63312ccbf74c7fcc9ed71e8d69c9b29a6580b976
Author: Gary Lockyer <[email protected]>
Date: Mon Oct 20 11:44:26 2025 +1300
third_party:heimdal: import lorikeet-heimdal-202510192136
(commit 041c5049eb0e97edaa422ec240ccfe7380667190)
Add a new flag always_include_pac to the krb5_kdc_configuration.
If set this over-rides the PA-PAC-REQUEST and the PAC is always included in
the response.
Signed-off-by: Gary Lockyer <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/security/kdcalwaysincludepac.xml | 20 ++++++++++
lib/param/loadparm.c | 1 +
python/samba/tests/krb5/fast_tests.py | 3 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 25 +++++++++---
python/samba/tests/krb5/raw_testcase.py | 33 +++++++++++++---
selftest/knownfail_mit_kdc.d/kdc-tgs | 44 +++++++++++-----------
selftest/target/Samba4.pm | 2 +
source3/param/loadparm.c | 1 +
source4/auth/kerberos/krb5_init_context.c | 13 +++++++
source4/selftest/tests.py | 6 +++
third_party/heimdal/kdc/kerberos5.c | 4 ++
third_party/heimdal/lib/krb5/context.c | 1 +
third_party/heimdal/lib/krb5/krb5_locl.h | 1 +
13 files changed, 120 insertions(+), 34 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcalwaysincludepac.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml
b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml
new file mode 100644
index 00000000000..5f8b1f2c808
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="kdc always include pac"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ This option over-rides the PA-PAC-REQUEST received from the client.
+ When enabled (the default) a PAC will always be included in the
+ kerberos responses.
+ </para>
+
+ <para>
+ This option currently only applies if the embedded Heimdal
+ KDC is used.
+ </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 69baf4b7054..125838c53a7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2959,6 +2959,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
lpcfg_do_global_parameter(lp_ctx, "strong certificate binding
enforcement", "full");
lpcfg_do_global_parameter(lp_ctx, "certificate backdating
compensation", "0");
+ lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
diff --git a/python/samba/tests/krb5/fast_tests.py
b/python/samba/tests/krb5/fast_tests.py
index 3feafc22f53..f75161bb9e0 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -126,6 +126,7 @@ class FAST_Tests(KDCBaseTest):
client_opts={'no_auth_data_required': True})
def test_simple_as_req_self_pac_request_false(self):
+ expect_pac = self.always_include_pac
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
@@ -140,7 +141,7 @@ class FAST_Tests(KDCBaseTest):
'gen_padata_fn': self.generate_enc_timestamp_padata,
'as_req_self': True,
'pac_request': False,
- 'expect_pac': False
+ 'expect_pac': expect_pac
}
], client_account=self.AccountType.COMPUTER)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py
b/python/samba/tests/krb5/kdc_tgs_tests.py
index de52378e591..64397530caf 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -667,7 +667,10 @@ class KdcTgsTests(KdcTgsBaseTests):
pac_request=False, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_request_enterprise_canon(self):
upn = self.get_new_username()
@@ -2644,7 +2647,10 @@ class KdcTgsTests(KdcTgsBaseTests):
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_tgs_pac_request_true(self):
creds = self._get_creds()
@@ -2683,7 +2689,10 @@ class KdcTgsTests(KdcTgsBaseTests):
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_renew_pac_request_true(self):
creds = self._get_creds()
@@ -2773,7 +2782,10 @@ class KdcTgsTests(KdcTgsBaseTests):
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_validate_pac_request_true(self):
creds = self._get_creds()
@@ -2916,7 +2928,10 @@ class KdcTgsTests(KdcTgsBaseTests):
expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_user2user_user_pac_request_true(self):
creds = self._get_creds()
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index 357345a8d8c..c87ea37b372 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -52,6 +52,7 @@ from samba.credentials import Credentials
from samba.dcerpc import claims, krb5pac, netlogon, samr, security, krb5ccache
from samba.gensec import FEATURE_SEAL
from samba.ndr import ndr_pack, ndr_unpack
+from samba.param import LoadParm
from samba.dcerpc.misc import (
SEC_CHAN_WKSTA,
SEC_CHAN_BDC,
@@ -59,9 +60,6 @@ from samba.dcerpc.misc import (
SEC_CHAN_DOMAIN,
SEC_CHAN_DNS_DOMAIN,
)
-from samba.dsdb import (
- UF_SMARTCARD_REQUIRED
-)
import samba.tests
from samba.tests import TestCase
@@ -864,6 +862,28 @@ class RawKerberosTest(TestCase):
padata_checking = '1'
cls.padata_checking = bool(int(padata_checking))
+ using_embedded_heimdal = samba.tests.env_get_var_value(
+ 'USING_EMBEDDED_HEIMDAL',
+ allow_missing=True)
+ if using_embedded_heimdal is None:
+ using_embedded_heimdal = False
+ else:
+ using_embedded_heimdal = bool(int(using_embedded_heimdal))
+ cls.always_include_pac = False
+ # Always generating the PAC is currently only supported by
+ # the Embedded heimdal
+ if using_embedded_heimdal:
+ # get_loadparm loads the client smb.conf
+ # we need to load the server smb.conf to get the server
+ # settings.
+ server_conf = samba.tests.env_get_var_value('SERVERCONFFILE')
+ lp = LoadParm(filename_for_non_global_lp=server_conf)
+ always_include = lp.get("kdc always include pac")
+ if always_include is None:
+ always_include = "True"
+
+ cls.always_include_pac = bool(always_include)
+
kadmin_is_tgs = samba.tests.env_get_var_value('KADMIN_IS_TGS',
allow_missing=True)
if kadmin_is_tgs is None:
@@ -4304,7 +4324,7 @@ class RawKerberosTest(TestCase):
pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac)
if expect_pac is True:
self.assertIsNotNone(pac_data)
- elif expect_pac is False:
+ elif expect_pac is False and self.always_include_pac is False:
self.assertIsNone(pac_data)
if pac_data is not None:
@@ -4820,8 +4840,9 @@ class RawKerberosTest(TestCase):
self.assertEqual(expect_pac_attrs_pac_request is True,
requested_pac)
- self.assertEqual(expect_pac_attrs_pac_request is None,
- given_pac)
+ if not self.always_include_pac:
+ self.assertEqual(expect_pac_attrs_pac_request is None,
+ given_pac)
elif (pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID
and expect_requester_sid):
diff --git a/selftest/knownfail_mit_kdc.d/kdc-tgs
b/selftest/knownfail_mit_kdc.d/kdc-tgs
index 58f155a52c3..ae61ea6c364 100644
--- a/selftest/knownfail_mit_kdc.d/kdc-tgs
+++ b/selftest/knownfail_mit_kdc.d/kdc-tgs
@@ -1,41 +1,41 @@
#
# MIT currently returns an error code of 12 KRB5KDC_ERR_POLICY: KDC policy
rejects request, to the
# following tests
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account
#
# KDC TGS tests
#
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_kpasswd
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_kpasswd
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_kpasswd
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_kpasswd
#
# KDC TGS PAC tests
#
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required\(ad_dc\)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac\(ad_dc\)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required\(ad_dc\)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required\(ad_dc\)
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac
#
# Extra PAC buffers tests
#
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers
#
# Unicode tests
#
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_fast_unicode\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_renew_unicode\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_validate_unicode\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_fast_unicode
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_renew_unicode
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_validate_unicode
#
# Singleācomponent krbtgt principal tests
#
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket
#
# KDC TGT tests
#
@@ -48,7 +48,7 @@
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_none
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rc4.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rc4
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied
@@ -107,7 +107,7 @@
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rc4.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rc4
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req_invalid
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9b0bce4e26d..04d60f332cb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1885,6 +1885,8 @@ sub provision_fl2008r2dc($$$)
server reject aes schannel:tests4u2selfwk\$ = no
server reject aes schannel:torturepacbdc\$ = no
server reject aes schannel:torturepacwksta\$ = no
+
+ kdc always include pac = no
";
my $extra_provision_options = ["--base-schema=2008_R2"];
my $ret = $self->provision($prefix,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5a0cb261824..344b8901401 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -963,6 +963,7 @@ void loadparm_s3_init_globals(struct loadparm_context
*lp_ctx,
Globals.strong_certificate_binding_enforcement
= KDC_CERT_BINDING_FULL;
Globals.certificate_backdating_compensation = 0;
+ Globals.kdc_always_include_pac = true;
Globals.winbind_debug_traceid = true;
diff --git a/source4/auth/kerberos/krb5_init_context.c
b/source4/auth/kerberos/krb5_init_context.c
index 0eb849c4ce0..f05e9511d50 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -37,6 +37,9 @@
#include "../lib/util/util_tdb.h"
#include <krb5/send_to_kdc_plugin.h>
#endif
+#ifdef USING_EMBEDDED_HEIMDAL
+#include <krb5_locl.h>
+#endif
/*
context structure for operations on cldap packets
@@ -816,6 +819,16 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
}
krb5_set_warn_dest(kctx, logf);
#endif
+#ifdef USING_EMBEDDED_HEIMDAL
+ /*
+ * The KRB5_CTX_F_ALWAYS_INCLUDE_PAC flag is a Samba extension to
+ * Heimdal and is only available in the embedded heimdal
+ */
+ if (lpcfg_kdc_always_include_pac(lp_ctx)) {
+ kctx->flags |= KRB5_CTX_F_ALWAYS_INCLUDE_PAC;
+ }
+#endif
+
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index fb756b164ef..1675112cc1b 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1320,6 +1320,7 @@ check_padata = int('SAMBA4_USES_HEIMDAL' in config_hash)
expect_nt_status = int('SAMBA4_USES_HEIMDAL' in config_hash)
as_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
tgs_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
+embedded_heimdal = int('USING_EMBEDDED_HEIMDAL' in config_hash)
ca_dir = os.path.join('selftest', 'manage-ca', 'CA-samba.example.com')
@@ -1357,6 +1358,7 @@ krb5_environ = {
'CA_CERT': ca_cert_path,
'CA_PRIVATE_KEY': ca_private_key_path,
'CA_PASS': ca_pass,
+ 'USING_EMBEDDED_HEIMDAL' : embedded_heimdal,
}
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("none", "samba.tests.krb5.claims_in_pac")
@@ -2076,6 +2078,10 @@ planpythontestsuite(
"ad_dc",
"samba.tests.krb5.kdc_tgs_tests",
environ=krb5_environ)
+planpythontestsuite(
+ "fl2008r2dc",
+ "samba.tests.krb5.kdc_tgs_tests",
+ environ=krb5_environ)
planpythontestsuite(
"ad_dc",
"samba.tests.krb5.fast_tests",
diff --git a/third_party/heimdal/kdc/kerberos5.c
b/third_party/heimdal/kdc/kerberos5.c
index 80048109493..7fe72e80705 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -33,6 +33,7 @@
#include "kdc_locl.h"
#include "krb5_err.h"
+#include "krb5_locl.h"
#ifdef TIME_T_SIGNED
#if SIZEOF_TIME_T == 4
@@ -2221,6 +2222,9 @@ get_pac_attributes(krb5_context context, KDC_REQ *req)
pac_attributes = pacreq.include_pac ? KRB5_PAC_WAS_REQUESTED : 0;
free_PA_PAC_REQUEST(&pacreq);
+ if (pac_attributes == 0 && context->flags & KRB5_CTX_F_ALWAYS_INCLUDE_PAC)
{
+ pac_attributes = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
+ }
return pac_attributes;
}
diff --git a/third_party/heimdal/lib/krb5/context.c
b/third_party/heimdal/lib/krb5/context.c
index 0b9c967fb62..b459e19948b 100644
--- a/third_party/heimdal/lib/krb5/context.c
+++ b/third_party/heimdal/lib/krb5/context.c
@@ -241,6 +241,7 @@ init_context_from_config_file(krb5_context context)
INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE,
"enforce_ok_as_delegate");
INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE,
"report_canonical_client_name");
+ INIT_FLAG(context, flags, KRB5_CTX_F_ALWAYS_INCLUDE_PAC, FALSE,
"always_include_pac");
/* report_canonical_client_name implies check_pac */
if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
diff --git a/third_party/heimdal/lib/krb5/krb5_locl.h
b/third_party/heimdal/lib/krb5/krb5_locl.h
index 57e7819e9c2..62679222f5a 100644
--- a/third_party/heimdal/lib/krb5/krb5_locl.h
+++ b/third_party/heimdal/lib/krb5/krb5_locl.h
@@ -331,6 +331,7 @@ typedef struct krb5_context_data {
#define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32
#define KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE 64
#define KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME 128
+#define KRB5_CTX_F_ALWAYS_INCLUDE_PAC 256
struct send_to_kdc *send_to_kdc;
#ifdef PKINIT
hx509_context hx509ctx;
--
Samba Shared Repository
