Revert "Always send the PAC to the PAC responder"

This reverts commit d153941864fe481399665be8fe583c9317194a99.
author: Sumit Bose <sbose@redhat.com> 2013-06-24 17:25:46 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-06-25 14:34:39 +0200
commit: 48a53690ae35ef7e5690eb216c8e33140070f984 (patch)
tree: 5c23952fd1ac046f5ea8c9d4d8060be41218464d /src/providers
parent: 1de61a60ea50700ef687969b0b70d53907994255 (diff)
download: sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.gz
sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.xz
sssd-48a53690ae35ef7e5690eb216c8e33140070f984.zip
1 files changed, 20 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fbfbeaf..cba72502d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
         goto done;
     }
 
-    /* Try to find and send the PAC to the PAC responder.
-     * Failures are not critical. */
-    kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
-                           kr->creds->client, keytab, &pac_authdata);
-    if (kerr != 0) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \
-                                     "membership for user with principal [%s] " \
-                                     "might not be correct.\n", kr->name));
-        kerr = 0;
-        goto done;
-    }
+    /* Try to find and send the PAC to the PAC responder for principals which
+     * do not belong to our realm. Failures are not critical. */
+    if (kr->upn_from_different_realm) {
+        kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
+                               kr->creds->client, keytab, &pac_authdata);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \
+                                      "membership for user with principal [%s] " \
+                                      "might not be correct.\n", kr->name));
+            kerr = 0;
+            goto done;
+        }
 
-    kerr = sss_send_pac(pac_authdata);
-    krb5_free_authdata(kr->ctx, pac_authdata);
-    if (kerr != 0) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \
-                                     "membership for user with principal [%s] " \
-                                     "might not be correct.\n", kr->name));
-        kerr = 0;
+        kerr = sss_send_pac(pac_authdata);
+        krb5_free_authdata(kr->ctx, pac_authdata);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \
+                                      "membership for user with principal [%s] " \
+                                      "might not be correct.\n", kr->name));
+            kerr = 0;
+        }
     }
 
 done:
author	Sumit Bose <sbose@redhat.com>	2013-06-24 17:25:46 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-06-25 14:34:39 +0200
commit	48a53690ae35ef7e5690eb216c8e33140070f984 (patch)
tree	5c23952fd1ac046f5ea8c9d4d8060be41218464d /src/providers
parent	1de61a60ea50700ef687969b0b70d53907994255 (diff)
download	sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.gz sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.xz sssd-48a53690ae35ef7e5690eb216c8e33140070f984.zip