HEIMDAL: kdc: don't announce KRB5_PADATA_GSS unless gss_preauth is enabled

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 3ff42244ffd8a0ffb1e8210a77a0ba9fe3d1c4ec..b35d272d3f3beeda501f6d4fb9d82d2084e11a0d 100644 (file)
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -2593,6 +2593,8 @@ _kdc_as_rep(astgs_request_t r)
            }
            if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast)
                continue;
+           if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth)
+               continue;
 
            ret = krb5_padata_add(r->context, r->rep.padata,
                                  pat[n].type, NULL, 0);