git.samba.org / lorikeet-heimdal.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
kdc: Optionally allow missing additional ticket PAC for user-to-user
[lorikeet-heimdal.git] / kdc / krb5tgs.c
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 142f0ef92d357eb73d64c264cc5e724832813b31..a3121c000d007d9f1d437dff9b5b333999d9de87 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1797,7 +1797,9 @@ server_lookup:
                goto out;
            }
 
-           if (user2user_pac == NULL || !user2user_kdc_issued) {
+           if ((config->require_pac && !user2user_pac)
+               || (user2user_pac && !user2user_kdc_issued))
+           {
                ret = KRB5KDC_ERR_BADOPTION;
                kdc_log(context, config, 0,
                        "Ticket not signed with PAC; user-to-user failed (%s).",
Lorikeet-Heimal