From 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 25 Jul 2011 10:06:47 +0200
Subject: s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is given

Windows seems to always canonicalize the principal in TGS replies.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
---
 source4/kdc/db-glue.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'source4')

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 080cf70bd8..88fecdd5ab 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1170,7 +1170,12 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 			return HDB_ERR_NOENTRY;
 		}
 
-		if (flags & HDB_F_CANON) {
+		/*
+		 * Windows seems to canonicalize the principal
+		 * in a TGS REP even if the client did not specify
+		 * the canonicalize flag.
+		 */
+		if (flags & HDB_F_CANON|HDB_F_FOR_TGS_REQ) {
 			ret = krb5_copy_principal(context, principal, &alloc_principal);
 			if (ret) {
 				return ret;
@@ -1192,7 +1197,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 		ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
 					      principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
 					      flags, realm_dn, msg, entry_ex);
-		if (flags & HDB_F_CANON) {
+		if (alloc_principal) {
 			/* This is again copied in the message2entry call */
 			krb5_free_principal(context, alloc_principal);
 		}
-- 
cgit