From d756ad019aec34116eee0dd40b25e5113d5aaaa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@h5l.org>
Date: Sun, 19 Jun 2011 11:49:33 -0700
Subject: [PATCH] make tests pass again

---
 kdc/krb5tgs.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 3bc66bb40..0f4011a4d 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2043,6 +2043,7 @@ server_lookup:
 	}
 
 	krb5_data_free(&rspac);
+
 	/*
 	 * generate the PAC for the user.
 	 *
@@ -2054,8 +2055,6 @@ server_lookup:
 			&clientkey->key, &tkey_check->key,
 			ekey, &tkey_sign->key,
 			&adtkt, &rspac, &ad_signedpath);
-	if (ret == 0 && !ad_signedpath)
-	    ret = KRB5KDC_ERR_BADOPTION;
 	if (ret) {
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
@@ -2072,12 +2071,10 @@ server_lookup:
 	ret = check_KRB5SignedPath(context,
 				   config,
 				   krbtgt,
-				   tp,
+				   cp,
 				   &adtkt,
 				   NULL,
 				   &ad_signedpath);
-	if (ret == 0 && !ad_signedpath)
-	    ret = KRB5KDC_ERR_BADOPTION;
 	if (ret) {
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
@@ -2089,6 +2086,16 @@ server_lookup:
 	    goto out;
 	}
 
+	if (!ad_signedpath) {
+	    ret = KRB5KDC_ERR_BADOPTION;
+	    kdc_log(context, config, 0,
+		    "Ticket not signed with PAC nor SignedPath service %s failed "
+		    "for delegation to %s for client %s "
+		    "from %s",
+		    spn, tpn, cpn, from);
+	    goto out;
+	}
+
 	kdc_log(context, config, 0, "constrained delegation for %s "
 		"from %s to %s", tpn, cpn, spn);
     }