From 22515634cf5a1148cc0290f892b909a17101cc59 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 17 Dec 2021 10:09:41 +1300 Subject: [PATCH] kdc: Optionally allow missing additional ticket PAC for user-to-user If the 'require_pac' option is not set, we should not require a PAC in this situation. Signed-off-by: Joseph Sutton --- kdc/krb5tgs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 142f0ef92..a3121c000 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1797,7 +1797,9 @@ server_lookup: goto out; } - if (user2user_pac == NULL || !user2user_kdc_issued) { + if ((config->require_pac && !user2user_pac) + || (user2user_pac && !user2user_kdc_issued)) + { ret = KRB5KDC_ERR_BADOPTION; kdc_log(context, config, 0, "Ticket not signed with PAC; user-to-user failed (%s).",