From: Luke Howard <lukeh@padl.com>
Date: Sat, 2 Apr 2011 06:41:44 +0000 (+0000)
Subject: When doing S4U2Self for the anon principal, use the server realm
X-Git-Tag: krb5-1.10-alpha1~504
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2b93295ca4f2e4394d80f8d0aca1b2387b6b36a2;p=thirdparty%2Fkrb5.git

When doing S4U2Self for the anon principal, use the server realm

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24793 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e79ab86c61..237950a37a 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -74,9 +74,17 @@ s4u_identify_user(krb5_context context,
 
     if (in_creds->client != NULL &&
         krb5_princ_type(context, in_creds->client) !=
-        KRB5_NT_ENTERPRISE_PRINCIPAL)
-        /* we already know the realm of the user */
-        return krb5_copy_principal(context, in_creds->client, canon_user);
+        KRB5_NT_ENTERPRISE_PRINCIPAL) {
+        int anonymous;
+
+        anonymous = krb5_principal_compare(context, in_creds->client,
+                                           krb5_anonymous_principal());
+
+        return krb5_copy_principal(context,
+                                   anonymous ? in_creds->server
+                                             : in_creds->client,
+                                   canon_user);
+    }
 
     memset(&creds, 0, sizeof(creds));
 
@@ -503,7 +511,7 @@ krb5_get_self_cred_from_kdc(krb5_context context,
 
     /* First, acquire a TGT to the user's realm. */
     code = krb5int_tgtname(context, user_realm,
-                        krb5_princ_realm(context, in_creds->server), &tgs);
+                           krb5_princ_realm(context, in_creds->server), &tgs);
     if (code != 0)
         goto cleanup;