From ecf1ac9dbf006db4802e1b4dd0128464120852f3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 22 Jan 2013 14:45:14 +1100
Subject: [PATCH] gensec: Allow login without a PAC by default (bug #9581)

The sense of this test was inverted.  We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit df004b5014b92b987f907047d2ca9f567e3d0ac1)
---
 auth/gensec/gensec_util.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d732213..64952b1 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
 	if (!pac_blob) {
-		if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+		if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
 			DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
 				  principal_string));
 			return NT_STATUS_ACCESS_DENIED;
-- 
1.7.9.5