From df848bfd97435975fb83a08a16286860a6e00104 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 29 Dec 2022 11:19:02 +0100
Subject: [PATCH] kdc: don't announce KRB5_PADATA_GSS unless gss_preauth is
 enabled

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 kdc/kerberos5.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e6bd17adf..118451ba7 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2312,6 +2312,8 @@ _kdc_as_rep(astgs_request_t r)
 	    }
 	    if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast)
 		continue;
+	    if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth)
+		continue;
 
 	    ret = krb5_padata_add(r->context, r->rep.padata,
 				  pat[n].type, NULL, 0);