From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 18 Jan 2022 22:06:46 +0000 (-0500)
Subject: Pass client flag to KDB for client preauth match
X-Git-Tag: krb5-1.20-beta1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1236%2Fhead;p=thirdparty%2Fkrb5.git

Pass client flag to KDB for client preauth match

In the kdcpreauth match_client() callback, if it is necessary to look
up the given principal in the KDB, pass KRB5_KDB_FLAG_CLIENT to
krb5_db_get_principal().  Samba requires this flag to properly handle
enterprise client principals.

ticket: 9048 (new)
---

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index e1323907e3..5d3dfd86c3 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -491,7 +491,7 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
         krb5_principal_compare(context, princ, client))
         return TRUE;
 
-    if (krb5_db_get_principal(context, princ, 0, &ent))
+    if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_CLIENT, &ent))
         return FALSE;
     match = krb5_principal_compare(context, ent->princ, client);
     krb5_db_free_principal(context, ent);