From 63de04c01cb7d53773f96a01473a311e1d4264b8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Feb 2018 18:40:58 +0100
Subject: [PATCH] s4:kdc: make sure we expand group memberships of the local
 domain

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail.d/expand_trust_token |  1 -
 source4/kdc/pac-glue.c                  | 11 +++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/expand_trust_token

diff --git a/selftest/knownfail.d/expand_trust_token b/selftest/knownfail.d/expand_trust_token
deleted file mode 100644
index c0d44d78121..00000000000
--- a/selftest/knownfail.d/expand_trust_token
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.trust_token.Test.token.with.kerberos
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 9b5f30917a6..126001cb718 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -763,6 +763,17 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
+	/*
+	 * We need to expand group memberships within our local domain,
+	 * as the token might be generated by a trusted domain.
+	 */
+	nt_status = authsam_update_user_info_dc(mem_ctx,
+						krbtgt->kdc_db_ctx->samdb,
+						user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
 	nt_status = samba_get_logon_info_pac_blob(mem_ctx, 
 						  user_info_dc, pac_blob);
 
-- 
2.11.4.GIT