--- krb5-1.11.3/src/lib/krb5/krb/s4u_creds.c.orig 2013-11-27 17:14:33.589000000 +0100 +++ krb5-1.11.3/src/lib/krb5/krb/s4u_creds.c 2013-11-27 18:18:15.081000000 +0100 @@ -460,10 +460,13 @@ krb5_pa_s4u_x509_user s4u_user; int referral_count = 0, i; krb5_flags kdcopt; + char *myprinc; + krb5_principal dummy_krb5_princ; memset(&tgtq, 0, sizeof(tgtq)); memset(&s4u_creds, 0, sizeof(s4u_creds)); memset(referral_tgts, 0, sizeof(referral_tgts)); + memset(&dummy_krb5_princ, 0, sizeof(dummy_krb5_princ)); *out_creds = NULL; memset(&s4u_user, 0, sizeof(s4u_user)); @@ -564,6 +567,51 @@ } } + TRACE(context, "XXX: type {int} s4u_creds {princ} tgtptr {data}", krb5_princ_type(context, s4u_creds.server), s4u_creds.server, &(tgtptr->server->data[1])); + if (krb5_princ_component(context, s4u_creds.server, 0) != NULL + && strcmp(krb5_princ_component(context, s4u_creds.server, 0), "krbtgt") != 0) { + if (krb5_princ_type(context, s4u_creds.server) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + code = krb5_unparse_name_flags(context, s4u_creds.server, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &myprinc); + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; + } + TRACE(context, "XXXX: myprinc {str}", myprinc); + + code = krb5_parse_name(context, myprinc, &dummy_krb5_princ); + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; + } + + TRACE(context, "XXXXX: dummy_krb5_princ {princ}", dummy_krb5_princ); + if (data_eq(*krb5_princ_realm(context, dummy_krb5_princ), tgtptr->server->data[1])) { + code = krb5_copy_principal(context, dummy_krb5_princ, &s4u_creds.server); + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; + } + } + TRACE(context, "XXXXXX: type {int} s4u_creds {princ} tgtptr {data}", krb5_princ_type(context, s4u_creds.server), s4u_creds.server, &(tgtptr->server->data[1])); + + } else if (!data_eq(*krb5_princ_realm(context, s4u_creds.server), tgtptr->server->data[1]) && krb5_princ_type(context, s4u_creds.server) != KRB5_NT_ENTERPRISE_PRINCIPAL) { + code = krb5_unparse_name(context, s4u_creds.server, &myprinc); + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; + } + krb5_free_principal(context, s4u_creds.server); + + code = krb5_parse_name_flags(context, myprinc, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, + &s4u_creds.server); + if (code != 0) { + krb5_free_pa_data(context, in_padata); + goto cleanup; + } + } + } + /* Rewrite server realm to match TGS realm */ krb5_free_data_contents(context, &s4u_creds.server->realm);