kdc: do not include PAC for anonymous AS requests

The PAC will typically contain information that may reveal the identity of a
principal. Do not include it for anonymous requests, at least until such time
as the PAC plugin API supports indicating that the request was anonymous.

kdc/kerberos5.c

@@ -2239,7 +2239,7 @@ _kdc_as_rep(kdc_request_t r,
     }
 
     /* Add the PAC */
-    if (send_pac_p(context, req)) {
+    if (send_pac_p(context, req) && !_kdc_is_anon_request(b)) {
 	generate_pac(r, skey);
     }