kdc: Allow requesting no PAC for AS-REQ to non-TGS server

Note that we still get a PAC even if the NO_AUTH_DATA_REQUIRED flag is
set, which matches Windows behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 1cde438de624b0c9dd9aaafa037e145a42a30272..98d03d36b6f13f98f2f67524ff7e60a80560f90c 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1848,7 +1848,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
     kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
                           r->pac_attributes);
 
-    if (!_kdc_include_pac_p(r))
+    if (!is_tgs && !(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY)))
        return 0;
 
     /*