From a70b91297251aa781eb290b7238622b5b1f51d74 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Fri, 11 Jun 2010 09:55:10 -0700
Subject: [PATCH] only resign PAC if there is a verified PAC on the way in

---
 kdc/krb5tgs.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 70138c789..1c4858232 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -332,19 +332,25 @@ check_PAC(krb5_context context,
 		}
 
 		ret = _kdc_pac_verify(context, client_principal,
-				      client, server, &pac);
+				      client, server, &pac, signedpath);
 		if (ret) {
 		    krb5_pac_free(context, pac);
 		    return ret;
 		}
-		*signedpath = 1;
 
-		ret = _krb5_pac_sign(context, pac, tkt->authtime,
-				     client_principal,
-				     server_key, krbtgt_key, rspac);
+		/*
+		 * Only re-sign PAC if we could verify it with the PAC
+		 * function. The no-verify case happens when we get in
+		 * a PAC from cross realm from a Windows domain and
+		 * that there is no PAC verification function.
+		 */
+		if (*signedpath)
+		    ret = _krb5_pac_sign(context, pac, tkt->authtime,
+					 client_principal,
+					 server_key, krbtgt_key, rspac);
 
 		krb5_pac_free(context, pac);
-
+		
 		return ret;
 	    }
 	}
-- 
2.11.4.GIT