diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-05-04 15:06:40 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-05-18 01:03:37 +0000 |
commit | 1fdff3710511c92bd103473e4c296c98f971dd13 (patch) | |
tree | c057b83fd558147ba89eb19c702ff7dd42f59c69 /source4/auth/sam.c | |
parent | f1212ffe4e4e2c09b9e10e9b7fe5a152e6f7adf6 (diff) | |
download | samba-1fdff3710511c92bd103473e4c296c98f971dd13.tar.gz |
s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth/sam.c')
-rw-r--r-- | source4/auth/sam.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index b66bfbff8ae..6d25afa6131 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -64,12 +64,23 @@ /* Needed for RODC rule processing */ \ "msDS-KrbTgtLinkBL" +#define AUTHN_POLICY_ATTRS \ + /* Required for authentication policies / silos */ \ + "msDS-AssignedAuthNPolicy", \ + "msDS-AssignedAuthNPolicySilo" + const char *krbtgt_attrs[] = { + /* + * Authentication policies will not be enforced on the TGS + * account. Don’t include the relevant attributes in the account search. + */ KRBTGT_ATTRS, NULL }; const char *server_attrs[] = { - KRBTGT_ATTRS, NULL + KRBTGT_ATTRS, + AUTHN_POLICY_ATTRS, + NULL }; const char *user_attrs[] = { @@ -82,6 +93,7 @@ const char *user_attrs[] = { "msDS-ResultantPSO", KRBTGT_ATTRS, + AUTHN_POLICY_ATTRS, "logonHours", |