From e54658728038dcb55ecfcc63cf48e211d73ee0cf Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 10 Aug 2023 16:31:41 +1200
Subject: [PATCH] s4:kdc: Fail PAC checksum verification if the krbtgt entry
 has no keys

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/mit_kdc_irpc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source4/kdc/mit_kdc_irpc.c b/source4/kdc/mit_kdc_irpc.c
index 9e82d6801b7..92fb78d56e5 100644
--- a/source4/kdc/mit_kdc_irpc.c
+++ b/source4/kdc/mit_kdc_irpc.c
@@ -136,6 +136,7 @@ static NTSTATUS netr_samlogon_generic_logon(struct irpc_message *msg,
 	 */
 	skeys = sentry.keys;
 
+	code = EINVAL;
 	for (i = 0; i < skeys.len; i++) {
 		krb5_keyblock krbtgt_keyblock = skeys.val[i].key;
 
-- 
2.11.4.GIT