From 95332f72acf87e04be6fb70c5dc00cabd14ac97c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 17 Jun 2013 12:22:32 +0200 Subject: Use principal from the ticket to find validation entry If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931 --- src/providers/krb5/krb5_child.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 74d730aa..ac9a905f 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -931,7 +931,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) } memset(&entry, 0, sizeof(entry)); - if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { + if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; -- cgit