s4:kdc: Look up authentication policies for Kerberos clients and servers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2023-05-04 15:06:40 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2023-05-18 01:03:37 +0000
commit: 1fdff3710511c92bd103473e4c296c98f971dd13 (patch)
tree: c057b83fd558147ba89eb19c702ff7dd42f59c69 /source4/auth/sam.c
parent: f1212ffe4e4e2c09b9e10e9b7fe5a152e6f7adf6 (diff)
download: samba-1fdff3710511c92bd103473e4c296c98f971dd13.tar.gz
1 files changed, 13 insertions, 1 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index b66bfbff8ae..6d25afa6131 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -64,12 +64,23 @@
 	/* Needed for RODC rule processing */	\
 	"msDS-KrbTgtLinkBL"
 
+#define AUTHN_POLICY_ATTRS                     \
+	/* Required for authentication policies / silos */ \
+	"msDS-AssignedAuthNPolicy",             \
+	"msDS-AssignedAuthNPolicySilo"
+
 const char *krbtgt_attrs[] = {
+	/*
+	 * Authentication policies will not be enforced on the TGS
+	 * account. Don’t include the relevant attributes in the account search.
+	 */
 	KRBTGT_ATTRS, NULL
 };
 
 const char *server_attrs[] = {
-	KRBTGT_ATTRS, NULL
+	KRBTGT_ATTRS,
+	AUTHN_POLICY_ATTRS,
+	NULL
 };
 
 const char *user_attrs[] = {
@@ -82,6 +93,7 @@ const char *user_attrs[] = {
 	"msDS-ResultantPSO",
 
 	KRBTGT_ATTRS,
+	AUTHN_POLICY_ATTRS,
 
 	"logonHours",
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2023-05-04 15:06:40 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2023-05-18 01:03:37 +0000
commit	1fdff3710511c92bd103473e4c296c98f971dd13 (patch)
tree	c057b83fd558147ba89eb19c702ff7dd42f59c69 /source4/auth/sam.c
parent	f1212ffe4e4e2c09b9e10e9b7fe5a152e6f7adf6 (diff)
download	samba-1fdff3710511c92bd103473e4c296c98f971dd13.tar.gz