s4:heimdal: import lorikeet-heimdal-201003262338 (commit f4e0dc17709829235f057e0e100d34802d3929ff)

1 files changed, 8 insertions, 4 deletions

diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 4d8da93579..e7d4d9532d 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -443,9 +443,7 @@ check_server_referral(krb5_context context,
 	return KRB5KRB_AP_ERR_MODIFIED;
     }
 
-    if (returned->name.name_string.len == 2 &&
-	strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
-    {
+    if (krb5_principal_is_krbtgt(context, returned)) {
 	const char *realm = returned->name.name_string.val[1];
 
 	if (ref.referred_realm == NULL
@@ -485,7 +483,13 @@ check_server_referral(krb5_context context,
 
     return ret;
 noreferral:
-    if (krb5_principal_compare(context, requested, returned) == FALSE) {
+    /*
+     * Expect excact match or that we got a krbtgt
+     */
+    if (krb5_principal_compare(context, requested, returned) != TRUE &&
+	(krb5_realm_compare(context, requested, returned) != TRUE &&
+	 krb5_principal_is_krbtgt(context, returned) != TRUE))
+    {
 	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
 			       N_("Not same server principal returned "
 				  "as requested", ""));