From ece456b028b3f1b2eab06265d4c99544f8f28993 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 5 Jan 2023 17:57:36 -0600
Subject: [PATCH] krb5: Do not fail to rd_req if no AD-KDC-ISSUED

We reject tickets that have no AD-KDC-ISSUED(!).

This was reported by Samba.  The workaround they found was to set
check_pac = true in krb5.conf, as that clobbers the ret from
krb5_ticket_get_authorization_data_type() not having found an
AD-KDC-ISSUED element.

This was introduced in 1cede09a0b772e99beac6fcc440a917c9e8b183a.
---
 lib/krb5/rd_req.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index 371037c84..012cfefc2 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -1037,11 +1037,10 @@ krb5_rd_req_ctx(krb5_context context,
             goto out;
     }
 
-    ret = krb5_ticket_get_authorization_data_type(context, o->ticket,
-                                                  KRB5_AUTHDATA_KDC_ISSUED,
-                                                  NULL);
-    if (ret == 0)
-        o->ticket->client->nameattrs->kdc_issued_verified = 1;
+    if (krb5_ticket_get_authorization_data_type(context, o->ticket,
+						KRB5_AUTHDATA_KDC_ISSUED,
+						NULL) == 0)
+	o->ticket->client->nameattrs->kdc_issued_verified = 1;
 
     /* If there is a PAC, verify its server signature */
     if (inctx == NULL || inctx->check_pac) {