From b4f361796481453e6a6c1722d13b6906075f021f Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Wed, 22 Dec 2021 16:38:52 +1100
Subject: [PATCH] kdc: don't add PAC_ATTRIBUTES PAC buffer for service tickets

Only include the PAC_ATTRIBUTES PAC info buffer if we are issuing a TGT, as its
contents are not relevant to application services. (The buffer contains a bit
indicating whether the client explicitly or implicitly requested a PAC.)
---
 kdc/kerberos5.c |  7 ++++---
 kdc/krb5tgs.c   | 11 +++++++++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 4a82cc748..5f258ca00 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1891,7 +1891,8 @@ get_pac_attributes(krb5_context context, KDC_REQ *req)
  */
 
 static krb5_error_code
-generate_pac(astgs_request_t r, const Key *skey, const Key *tkey)
+generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
+	     krb5_boolean is_tgs)
 {
     krb5_error_code ret;
     krb5_pac p = NULL;
@@ -1962,7 +1963,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey)
 			 rodc_id,
 			 NULL, /* UPN */
 			 canon_princ,
-			 &r->pac_attributes,
+			 is_tgs ? &r->pac_attributes : NULL,
 			 &data);
     krb5_free_principal(r->context, client);
     krb5_pac_free(r->context, p);
@@ -2726,7 +2727,7 @@ _kdc_as_rep(astgs_request_t r)
 
     /* Add the PAC */
     if (!r->et.flags.anonymous) {
-	generate_pac(r, skey, krbtgt_key);
+	generate_pac(r, skey, krbtgt_key, is_tgs);
     }
 
     if (r->client->entry.flags.synthetic) {
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 7775f727e..7cc110a39 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -812,6 +812,9 @@ tgs_make_reply(astgs_request_t r,
      * is implementation dependent.
      */
     if (mspac && !et.flags.anonymous) {
+	krb5_boolean is_tgs =
+	    krb5_principal_is_krbtgt(r->context, server->entry.principal);
+
 	if (r->client_princ) {
 	    char *cpn;
 
@@ -821,10 +824,14 @@ tgs_make_reply(astgs_request_t r,
 	    krb5_xfree(cpn);
 	}
 
-	/* The PAC should be the last change to the ticket. */
+	/*
+	 * The PAC should be the last change to the ticket. PAC attributes
+	 * are not included for service tickets.
+	 */
 	ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
 					krbtgtkey, rodc_id, NULL, r->client_princ,
-					add_ticket_sig, &et, &r->pac_attributes);
+					add_ticket_sig, &et,
+					is_tgs ? &r->pac_attributes : NULL);
 	if (ret)
 	    goto out;
     }