From 9eaff7e852bc6cd6d6146d5cf3d6007c3119d5d6 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 16 May 2023 16:48:09 +1200
Subject: s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/sdb.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index dccfd37bb06..f211c25187b 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -119,6 +119,7 @@ struct sdb_entry {
 #define SDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
 #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
+#define SDB_F_ARMOR_PRINCIPAL 262144	/* fetch is for the client of an armor ticket */
 
 #define SDB_F_HDB_MASK		(SDB_F_DECRYPT | \
 				 SDB_F_GET_CLIENT| \
@@ -128,7 +129,8 @@ struct sdb_entry {
 				 SDB_F_ADMIN_DATA | \
 				 SDB_F_KVNO_SPECIFIED | \
 				 SDB_F_FOR_AS_REQ | \
-				 SDB_F_FOR_TGS_REQ)
+				 SDB_F_FOR_TGS_REQ | \
+				 SDB_F_ARMOR_PRINCIPAL)
 
 /* This is not supported by HDB */
 #define SDB_F_FORCE_CANON	16384	/* force canonicalization */
-- 
cgit v1.2.1