gensec: Allow login without a PAC by default (bug #9581)

The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d73221355102e2119dc950aa85031a3985c6e60b..64952b198374ef66d09ff084661c7dbd3d8551a4 100644 (file)
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
        session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
        if (!pac_blob) {
-               if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+               if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
                        DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
                                  principal_string));
                        return NT_STATUS_ACCESS_DENIED;