kdc: Optionally allow missing additional ticket PAC for user-to-user

If the 'require_pac' option is not set, we should not require a PAC in this situation. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-17 10:09:41 +13:00
parent 4dc369ef8f
commit 22515634cf
1 changed files with 3 additions and 1 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1797,7 +1797,9 @@ server_lookup:
 		goto out;
 	    }

-	    if (user2user_pac == NULL || !user2user_kdc_issued) {
+	    if ((config->require_pac && !user2user_pac)
+		|| (user2user_pac && !user2user_kdc_issued))
+	    {
 		ret = KRB5KDC_ERR_BADOPTION;
 		kdc_log(context, config, 0,
 			"Ticket not signed with PAC; user-to-user failed (%s).",