From 48a53690ae35ef7e5690eb216c8e33140070f984 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 24 Jun 2013 17:25:46 +0200
Subject: Revert "Always send the PAC to the PAC responder"

This reverts commit d153941864fe481399665be8fe583c9317194a99.
---
 src/providers/krb5/krb5_child.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fbfbeaf..cba72502d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
         goto done;
     }
 
-    /* Try to find and send the PAC to the PAC responder.
-     * Failures are not critical. */
-    kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
-                           kr->creds->client, keytab, &pac_authdata);
-    if (kerr != 0) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \
-                                     "membership for user with principal [%s] " \
-                                     "might not be correct.\n", kr->name));
-        kerr = 0;
-        goto done;
-    }
+    /* Try to find and send the PAC to the PAC responder for principals which
+     * do not belong to our realm. Failures are not critical. */
+    if (kr->upn_from_different_realm) {
+        kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
+                               kr->creds->client, keytab, &pac_authdata);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \
+                                      "membership for user with principal [%s] " \
+                                      "might not be correct.\n", kr->name));
+            kerr = 0;
+            goto done;
+        }
 
-    kerr = sss_send_pac(pac_authdata);
-    krb5_free_authdata(kr->ctx, pac_authdata);
-    if (kerr != 0) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \
-                                     "membership for user with principal [%s] " \
-                                     "might not be correct.\n", kr->name));
-        kerr = 0;
+        kerr = sss_send_pac(pac_authdata);
+        krb5_free_authdata(kr->ctx, pac_authdata);
+        if (kerr != 0) {
+            DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \
+                                      "membership for user with principal [%s] " \
+                                      "might not be correct.\n", kr->name));
+            kerr = 0;
+        }
     }
 
 done:
-- 
cgit