back-port r24640 from trunk

 ------------------------------------------------------------------------
 r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines

 ticket: 6870
 subject: Don't reject AP-REQs based on PACs
 target_version: 1.9.1
 tags: pullup

 Experience has shown that it was a mistake to fail AP-REQ verification
 based on failure to verify the signature of PAC authdata contained in
 the ticket.  We've had two rounds of interoperability issues with the
 hmac-md5 checksum code, an interoperability issue OSX generating
 unsigned PACs, and another problem where PACs are copied by older KDCs
 from a cross-realm TGT into the service ticket.  If a PAC signature
 cannot be verified, just don't mark it as verified and continue on
 with the AP exchange.

https://github.com/krb5/krb5/commit/c34804a019ce01c52684d52c2822ce2682af7c5d
Commit By: tlyu
Revision: 24671
Changed Files:
U   branches/krb5-1-8/src/lib/krb5/krb/pac.c