diff options
-rw-r--r-- | src/providers/krb5/krb5_child.c | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e9fbfbeaf..cba72502d 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder. - * Failures are not critical. */ - kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, - kr->creds->client, keytab, &pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - goto done; - } + /* Try to find and send the PAC to the PAC responder for principals which + * do not belong to our realm. Failures are not critical. */ + if (kr->upn_from_different_realm) { + kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, + kr->creds->client, keytab, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + goto done; + } - kerr = sss_send_pac(pac_authdata); - krb5_free_authdata(kr->ctx, pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; + kerr = sss_send_pac(pac_authdata); + krb5_free_authdata(kr->ctx, pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + } } done: |