From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 31 Jan 2013 06:26:22 +0000 (-0500)
Subject: Fix is_referral flag in KDC TGS code
X-Git-Tag: krb5-1.12-alpha1~319
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c072b059ecff257e7600be0e86869decd135d422;p=thirdparty%2Fkrb5.git

Fix is_referral flag in KDC TGS code

A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client.  Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.

ticket: 7555 (new)
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index d2b89e25ec..12589b8039 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -246,7 +246,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
     is_referral = krb5_is_tgs_principal(server->princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+        !krb5_principal_compare(kdc_context, request->server, server->princ);
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_active_realm,