From 44e22a45a46fc5fc2f111a71cc3340920e33757e Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 23 Dec 2009 21:10:33 +0000
Subject: [PATCH] Permit the realm to be canonicalized from any realm to the
 anonymous realm when anonymous is requested even when the principal is not a
 TGS principal.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23505 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/get_in_tkt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 95f952aace..7043845920 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -310,6 +310,9 @@ verify_as_reply(krb5_context            context,
     if (canon_req) {
         canon_ok = IS_TGS_PRINC(context, request->server) &&
             IS_TGS_PRINC(context, as_reply->enc_part2->server);
+        if ((!canon_ok ) && (request->kdc_options &KDC_OPT_REQUEST_ANONYMOUS))
+            canon_ok = krb5_principal_compare(context, as_reply->client,
+                                              krb5_anonymous_principal());
     } else
         canon_ok = 0;
 
-- 
2.47.2