hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
const EncryptionKey *server_check_key,
- const EncryptionKey *krbtgt_check_key,
const EncryptionKey *server_sign_key,
const EncryptionKey *krbtgt_sign_key,
EncTicketPart *tkt,
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
- server_check_key, krbtgt_check_key);
+ server_check_key, NULL);
if (ret) {
krb5_pac_free(context, pac);
return ret;
Key *tkey_check;
Key *tkey_sign;
- Key *tkey_krbtgt_check = NULL;
int flags = HDB_F_FOR_TGS_REQ;
memset(&sessionkey, 0, sizeof(sessionkey));
goto out;
}
- /* Check if we would know the krbtgt key for the PAC. We would
- * only know this if the krbtgt principal was the same (ie, in our
- * realm, regardless of KVNO) */
- if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal)) {
- tkey_krbtgt_check = tkey_check;
- }
-
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
NULL, &clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
ret = check_PAC(context, config, cp, NULL,
client, server, krbtgt,
&tkey_check->key,
- tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
ekey, &tkey_sign->key,
tgt, &rspac, &signedpath);
if (ret) {
*/
ret = check_PAC(context, config, tp, dp,
client, server, krbtgt,
- &clientkey->key, &tkey_check->key,
+ &clientkey->key,
ekey, &tkey_sign->key,
&adtkt, &rspac, &ad_signedpath);
if (ret) {