Put KDB authdata first

Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.

[ghudson@mit.edu: added comment and clarified commit message]

ticket: 8872 (new)
tags: pullup
target_version: 1.18
target_version: 1.17-next

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index a18e4b4bebbeb20100ad059dfdc793964cb43a49..1ebe872467f3d2ad28d5f80e1361344c29e4de44 100644 (file)
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
     if (ret)
         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 
-    /* Add the KDB authdata to the ticket, without copying or filtering. */
-    ret = merge_authdata(context, db_authdata,
-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
+    /* Put the KDB authdata first in the ticket.  A successful merge places the
+     * combined list in db_authdata and releases the old ticket authdata. */
+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+                         &db_authdata, FALSE, FALSE);
     if (ret)
         krb5_free_authdata(context, db_authdata);
+    else
+        enc_tkt_reply->authorization_data = db_authdata;
     return ret;
 }