1 files changed, 9 insertions, 3 deletions

diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 292ba00b3..161fa269a 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -129,7 +129,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     size_t rp;
     const char *keytab;
     uint32_t validate;
-    uint32_t different_realm;
+    uint32_t send_pac;
     uint32_t use_enterprise_principal;
     size_t username_len = 0;
     errno_t ret;
@@ -141,7 +141,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     }
 
     validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0;
-    different_realm = kr->upn_from_different_realm ? 1 : 0;
+
+    /* Always send PAC except for local IPA users */
+    if (kr->krb5_ctx->is_ipa) {
+        send_pac = kr->upn_from_different_realm ? 1 : 0;
+    } else {
+        send_pac = 1;
+    }
     use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
                                          KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0;
 
@@ -184,7 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp);
-    SAFEALIGN_COPY_UINT32(&buf->data[rp], &different_realm, &rp);
+    SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp);
     SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp);
 
     SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp);