krb5: Do not fail to rd_req if no AD-KDC-ISSUED

We reject tickets that have no AD-KDC-ISSUED(!). This was reported by Samba. The workaround they found was to set check_pac = true in krb5.conf, as that clobbers the ret from krb5_ticket_get_authorization_data_type() not having found an AD-KDC-ISSUED element. This was introduced in 1cede09a0b.
2023-01-05 17:57:36 -06:00
parent b87b813fee
commit ece456b028
1 changed files with 4 additions and 5 deletions
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -1037,11 +1037,10 @@ krb5_rd_req_ctx(krb5_context context,
            goto out;
    }

-    ret = krb5_ticket_get_authorization_data_type(context, o->ticket,
-                                                  KRB5_AUTHDATA_KDC_ISSUED,
-                                                  NULL);
-    if (ret == 0)
-        o->ticket->client->nameattrs->kdc_issued_verified = 1;
+    if (krb5_ticket_get_authorization_data_type(context, o->ticket,
+						KRB5_AUTHDATA_KDC_ISSUED,
+						NULL) == 0)
+	o->ticket->client->nameattrs->kdc_issued_verified = 1;

    /* If there is a PAC, verify its server signature */
    if (inctx == NULL || inctx->check_pac) {