From 93a5264dd68da57e172af50020f670631eeef263 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 23 Nov 2021 20:15:41 +1300
Subject: [PATCH 41/99] kdc: Always add the PAC if the header TGT is from an
 RODC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8)
Conflict: remove selftest/knownfail_heimdal_kdc 
---
 source4/kdc/wdc-samba4.c       | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index ecd182702c3..8c3ce71529c 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -471,7 +471,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 		goto out;
 	}
 
-	if (!server_skdc_entry->is_krbtgt) {
+	if (!is_untrusted && !server_skdc_entry->is_krbtgt) {
 		/*
 		 * The client may have requested no PAC when obtaining the
 		 * TGT.
-- 
2.25.1