samba/backport-0021-CVE-2022-2031-CVE-2022-32744.patch

From 29f15fe2d92831dcf5f4eb6d295df866ff689ee3 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 25 Nov 2021 10:53:49 +1300
Subject: [PATCH 45/99] kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued
 tickets

Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4b60e9516497c2e7f1545fe50887d0336b9893f2)
Conflict: remove selftest/knownfail_heimdal_kdc
---
 source4/kdc/wdc-samba4.c       |  2 +-
 2 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 17af76f4edb..713720bcb99 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -579,7 +579,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 			type_blob = data_blob_const(&zero_byte, 1);
 			break;
 		case PAC_TYPE_ATTRIBUTES_INFO:
-			if (is_krbtgt) {
+			if (!is_untrusted && is_krbtgt) {
 				/* just copy... */
 				break;
 			} else {
-- 
2.25.1