summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/providers/krb5/krb5_child.c38
1 files changed, 20 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fbfbea..cba72502 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
goto done;
}
- /* Try to find and send the PAC to the PAC responder.
- * Failures are not critical. */
- kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
- kr->creds->client, keytab, &pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
- goto done;
- }
+ /* Try to find and send the PAC to the PAC responder for principals which
+ * do not belong to our realm. Failures are not critical. */
+ if (kr->upn_from_different_realm) {
+ kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
+ kr->creds->client, keytab, &pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
+ goto done;
+ }
- kerr = sss_send_pac(pac_authdata);
- krb5_free_authdata(kr->ctx, pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
+ kerr = sss_send_pac(pac_authdata);
+ krb5_free_authdata(kr->ctx, pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
+ }
}
done: