1 files changed, 13 insertions, 7 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9137cd5ad..c1e0b9b73 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1731,6 +1731,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
     }
 
     if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+        if (proxy == NULL) {
+            *pac = NULL;
+            kerr = 0;
+            goto done;
+        }
+
         kerr = ipadb_add_transited_service(context, proxy, server,
                                            old_pac, new_pac);
         if (kerr) {
@@ -1986,13 +1992,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     krb5_db_entry *client_entry = NULL;
 
 
-    /* When client is NULL, authdata flag on the service principal was cleared
-     * by an admin. We don't generate MS-PAC in this case */
-    if (client == NULL) {
-        *signed_auth_data = NULL;
-        return 0;
-    }
-
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
      * of the proxied user. So always use client_princ in preference */
@@ -2000,6 +1999,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
         ks_client_princ = client_princ;
         kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
     } else {
+        /* When client is NULL, authdata flag on the service principal was cleared
+         * by an admin. We don't generate MS-PAC in this case */
+        if (client == NULL) {
+            *signed_auth_data = NULL;
+            return 0;
+        }
+
         ks_client_princ = client->princ;
     }