From 72afa2641c24bd18a32463f0b0de7e91feb54290 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 24 Nov 2021 20:42:22 +1300
Subject: [PATCH 44/99] kdc: Don't include extra PAC buffers in service tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef)
Conflict: remove selftest/knownfail_heimdal_kdc
---
 source4/kdc/wdc-samba4.c       | 31 +++++++++++++++++--------
 2 files changed, 21 insertions(+), 52 deletions(-)

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 8c3ce71529c..17af76f4edb 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -132,6 +132,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 	krb5_error_code ret;
 	NTSTATUS nt_status;
 	bool is_in_db, is_untrusted;
+	bool is_krbtgt;
 	size_t num_types = 0;
 	uint32_t *types = NULL;
 	uint32_t forced_next_type = 0;
@@ -471,7 +472,9 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 		goto out;
 	}
 
-	if (!is_untrusted && !server_skdc_entry->is_krbtgt) {
+	is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal);
+
+	if (!is_untrusted && !is_krbtgt) {
 		/*
 		 * The client may have requested no PAC when obtaining the
 		 * TGT.
@@ -576,17 +579,25 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 			type_blob = data_blob_const(&zero_byte, 1);
 			break;
 		case PAC_TYPE_ATTRIBUTES_INFO:
-			/* just copy... */
-			break;
+			if (is_krbtgt) {
+				/* just copy... */
+				break;
+			} else {
+				continue;
+			}
 		case PAC_TYPE_REQUESTER_SID:
-			/*
-			 * Replace in the RODC case, otherwise
-			 * requester_sid_blob is NULL and we just copy.
-			 */
-			if (requester_sid_blob != NULL) {
-				type_blob = *requester_sid_blob;
+			if (is_krbtgt) {
+				/*
+				 * Replace in the RODC case, otherwise
+				 * requester_sid_blob is NULL and we just copy.
+				 */
+				if (requester_sid_blob != NULL) {
+					type_blob = *requester_sid_blob;
+				}
+				break;
+			} else {
+				continue;
 			}
-			break;
 		default:
 			/* just copy... */
 			break;
-- 
2.25.1