Tighten up referral recognition in KDC TGS code

In do_tgs_req(), treat the search_sprinc() result as a referral only
if it is a cross-TGS principal and it doesn't match the requested
server principal.  This change fixes two corner cases: (1) when a
client requests a cross-realm TGT, we won't squash the name type in
the response; and (2) if we are serving multiple realms out of the
same KDB, we will properly handle aliases to any local-realm TGT, not
just the one for the configured realm name.

ticket: 7555

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 85f07f171e29367774fde3e70eea09aad38fccb7..240203638691ca1233ef037faccda65fc1906d8c 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,8 +217,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    is_referral = krb5_is_tgs_principal(server->princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+
+    /* If we got a cross-realm TGS which is not the requested server, we are
+     * issuing a referral (or alternate TGT, which we treat similarly). */
+    is_referral = is_cross_tgs_principal(server->princ) &&
+        !krb5_principal_compare(kdc_context, request->server, server->princ);
+
     if (is_referral) {
         /*
          * We may be issuing an alternate TGT or a referral to another realm,