From 817e83837d249a63395d90ac47dc975a23f00c6c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 25 Feb 2014 20:53:49 +0200
Subject: [PATCH 50/51] ipa-kdb: make sure we don't produce MS-PAC in case of
 authdata flag cleared by admin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.

Make sure we bail out correctly.

Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 2a0480fff029d29fb56286d85108936f6c579901..9137cd5ad1e6166fd5d6e765fab2c8178ca0587c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     int result;
     krb5_db_entry *client_entry = NULL;
 
+
+    /* When client is NULL, authdata flag on the service principal was cleared
+     * by an admin. We don't generate MS-PAC in this case */
+    if (client == NULL) {
+        *signed_auth_data = NULL;
+        return 0;
+    }
+
     /* When using s4u2proxy client_princ actually refers to the proxied user
      * while client->princ to the proxy service asking for the TGS on behalf
      * of the proxied user. So always use client_princ in preference */
-- 
1.8.5.3