From 312bf1c331038059698d14d7026387079a49bb61 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 20 Sep 2017 23:05:09 +0200
Subject: [PATCH] HEIMDAL:kdc: if we don't have an authenticator subkey for
 S4U2Proxy we need to use the additional tickets key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/heimdal/kdc/krb5tgs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index f5b4137c2b8..d59eb9731be 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -2144,6 +2144,10 @@ server_lookup:
 	    goto out;
 	}
 
+	if (rk_is_subkey == 0) {
+	    auth_data_key = &adtkt.key;
+	}
+
 	kdc_log(context, config, 0, "constrained delegation for %s "
 		"from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
-- 
2.47.2