From d23d8e859357b0fac4d1f4a49f1dce6cf60d6216 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 15 Oct 2021 12:12:30 +1300
Subject: [PATCH] heimdal:kdc: Fix ticket signing without a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/heimdal/kdc/krb5tgs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index d0483a3903b..2de3b099199 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -695,10 +695,12 @@ tgs_make_reply(krb5_context context,
     }
 
     /* The PAC should be the last change to the ticket. */
-    ret = _krb5_kdc_pac_sign_ticket(context, mspac, tgt_name, serverkey,
-				    krbtgtkey, rodc_id, add_ticket_sig, &et);
+    if (mspac != NULL) {
+	ret = _krb5_kdc_pac_sign_ticket(context, mspac, tgt_name, serverkey,
+					krbtgtkey, rodc_id, add_ticket_sig, &et);
 	if (ret)
 	    goto out;
+    }
 
     /* It is somewhat unclear where the etype in the following
        encryption should come from. What we have is a session
-- 
2.47.3