From: Gary Lockyer <gary@catalyst.net.nz>
Date: Sun, 19 Oct 2025 22:44:26 +0000 (+1300)
Subject: third_party:heimdal: import lorikeet-heimdal-202510192136
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63312ccbf74c7fcc9ed71e8d69c9b29a6580b976;p=thirdparty%2Fsamba.git

third_party:heimdal: import lorikeet-heimdal-202510192136

(commit 041c5049eb0e97edaa422ec240ccfe7380667190)

Add a new flag always_include_pac to the krb5_kdc_configuration.

If set this over-rides the PA-PAC-REQUEST and the PAC is always included in
the response.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 80048109493..7fe72e80705 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -33,6 +33,7 @@
 
 #include "kdc_locl.h"
 #include "krb5_err.h"
+#include "krb5_locl.h"
 
 #ifdef TIME_T_SIGNED
 #if SIZEOF_TIME_T == 4
@@ -2221,6 +2222,9 @@ get_pac_attributes(krb5_context context, KDC_REQ *req)
 
     pac_attributes = pacreq.include_pac ? KRB5_PAC_WAS_REQUESTED : 0;
     free_PA_PAC_REQUEST(&pacreq);
+    if (pac_attributes == 0 && context->flags & KRB5_CTX_F_ALWAYS_INCLUDE_PAC) {
+	pac_attributes = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
+    }
     return pac_attributes;
 }
 
diff --git a/third_party/heimdal/lib/krb5/context.c b/third_party/heimdal/lib/krb5/context.c
index 0b9c967fb62..b459e19948b 100644
--- a/third_party/heimdal/lib/krb5/context.c
+++ b/third_party/heimdal/lib/krb5/context.c
@@ -241,6 +241,7 @@ init_context_from_config_file(krb5_context context)
     INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
     INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
     INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
+    INIT_FLAG(context, flags, KRB5_CTX_F_ALWAYS_INCLUDE_PAC, FALSE, "always_include_pac");
 
     /* report_canonical_client_name implies check_pac */
     if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
diff --git a/third_party/heimdal/lib/krb5/krb5_locl.h b/third_party/heimdal/lib/krb5/krb5_locl.h
index 57e7819e9c2..62679222f5a 100644
--- a/third_party/heimdal/lib/krb5/krb5_locl.h
+++ b/third_party/heimdal/lib/krb5/krb5_locl.h
@@ -331,6 +331,7 @@ typedef struct krb5_context_data {
 #define KRB5_CTX_F_FCACHE_STRICT_CHECKING	32
 #define KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE	64
 #define KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME	128
+#define KRB5_CTX_F_ALWAYS_INCLUDE_PAC		256
     struct send_to_kdc *send_to_kdc;
 #ifdef PKINIT
     hx509_context hx509ctx;