From eb388539ec61408b8cfb57fab9082e3105c07b3c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 29 Dec 2022 11:18:22 +0100
Subject: [PATCH] kdc: don't announce KRB5_PADATA_PKINIT_KX unless anonymous is
 allowed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 kdc/kerberos5.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index ad25d4c1e..e6bd17adf 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2302,6 +2302,8 @@ _kdc_as_rep(astgs_request_t r)
 
 	    if (!r->armor_crypto && (pat[n].flags & PA_REQ_FAST))
 		continue;
+	    if (pat[n].type == KRB5_PADATA_PKINIT_KX && !r->config->allow_anonymous)
+		continue;
 	    if (pat[n].type == KRB5_PADATA_ENC_TIMESTAMP) {
 		if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp)
 		    continue;