From 126ea0e595a4728d81e4b8a7ccf0b68f6edd0060 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 17 Feb 2007 07:52:01 +0000
Subject: [PATCH] Don't check PACs on cross realm requests.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20254 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/krb5tgs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 22d3c1150..73c149396 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1258,6 +1258,7 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
+    int cross_realm = 0;
 
     PrincipalName *s;
     Realm r;
@@ -1421,6 +1422,8 @@ server_lookup:
 	
 	kdc_log(context, config, 1, "Client not found in database: %s: %s",
 		cpn, krb5_get_err_text(context, ret));
+
+	cross_realm = 1;
     }
     
     /*
@@ -1705,7 +1708,7 @@ server_lookup:
     }
 
     /* check PAC if there is one */
-    {
+    if (!cross_realm) {
 	Key *tkey;
 
 	ret = hdb_enctype2key(context, &krbtgt->entry, 
@@ -1721,7 +1724,7 @@ server_lookup:
 			tgt, &rspac, &require_signedpath);
 	if (ret) {
 	    kdc_log(context, config, 0,
-		    "check_PAC check failed for %s (%s) from %s with %s",
+		    "Verify PAC failed for %s (%s) from %s with %s",
 		    spn, cpn, from, krb5_get_err_text(context, ret));
 	    goto out;
 	}