gensec: Allow login without a PAC by default (bug #9581)

The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit df004b5014b92b987f907047d2ca9f567e3d0ac1)

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d73221355102e2119dc950aa85031a3985c6e60b..64952b198374ef66d09ff084661c7dbd3d8551a4 100644 (file)
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
        session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
        if (!pac_blob) {
-               if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+               if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
                        DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
                                  principal_string));
                        return NT_STATUS_ACCESS_DENIED;