kdc: don't add PAC_ATTRIBUTES PAC buffer for service tickets

Only include the PAC_ATTRIBUTES PAC info buffer if we are issuing a TGT, as its
contents are not relevant to application services. (The buffer contains a bit
indicating whether the client explicitly or implicitly requested a PAC.)

kdc/kerberos5.c

@@ -1891,7 +1891,8 @@ get_pac_attributes(krb5_context context, KDC_REQ *req)
  */
 
 static krb5_error_code
-generate_pac(astgs_request_t r, const Key *skey, const Key *tkey)
+generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
+	     krb5_boolean is_tgs)
 {
     krb5_error_code ret;
     krb5_pac p = NULL;
@@ -1962,7 +1963,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey)
 			 rodc_id,
 			 NULL, /* UPN */
 			 canon_princ,
-			 &r->pac_attributes,
+			 is_tgs ? &r->pac_attributes : NULL,
 			 &data);
     krb5_free_principal(r->context, client);
     krb5_pac_free(r->context, p);
@@ -2726,7 +2727,7 @@ _kdc_as_rep(astgs_request_t r)
 
     /* Add the PAC */
     if (!r->et.flags.anonymous) {
-	generate_pac(r, skey, krbtgt_key);
+	generate_pac(r, skey, krbtgt_key, is_tgs);
     }
 
     if (r->client->entry.flags.synthetic) {

kdc/krb5tgs.c

@@ -812,6 +812,9 @@ tgs_make_reply(astgs_request_t r,
      * is implementation dependent.
      */
     if (mspac && !et.flags.anonymous) {
+	krb5_boolean is_tgs =
+	    krb5_principal_is_krbtgt(r->context, server->entry.principal);
+
 	if (r->client_princ) {
 	    char *cpn;
 
@@ -821,10 +824,14 @@ tgs_make_reply(astgs_request_t r,
 	    krb5_xfree(cpn);
 	}
 
-	/* The PAC should be the last change to the ticket. */
+	/*
+	 * The PAC should be the last change to the ticket. PAC attributes
+	 * are not included for service tickets.
+	 */
 	ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
 					krbtgtkey, rodc_id, NULL, r->client_princ,
-					add_ticket_sig, &et, &r->pac_attributes);
+					add_ticket_sig, &et,
+					is_tgs ? &r->pac_attributes : NULL);
 	if (ret)
 	    goto out;
     }