indicate how we might ignore PAC verification failures

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22600 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index b6c15dd261da41d6a4de0bb2564e7195ce6199f1..2c9962cb1e28c2b0452ea35b2567f77da7e0c684 100644 (file)
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -964,7 +964,18 @@ mspac_request_verify(krb5_context context,
                           key,
                           NULL);
 
+#if 0
+    /*
+     * Now, we could return 0 and just set pac->verified to FALSE.
+     * Thoughts?
+     */
+    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+        assert(pacctx->pac->verified == FALSE);
+        code = 0;
+    }
+#else
     if (pacctx->pac->verified == TRUE || code != 0);
+#endif
 
     return code;
 }