Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: Service principal aliases broken in 1.11 KDC
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1214

RFC 6806 section 6 specifies that when a client makes a TGS request for 
the alias name of a server, the KDC must issue a ticket which appears to 
be for the alias, not for the canonical name.  We implement this 
correctly up through 1.10, but in 1.11 we issue a ticket for the 
canonical name, which clients will typically reject.

In 1.10, there is a complicated piece of open-coded KDC logic for 
looking up the service principal.  It rewrites request->server if we are 
returning an alternate cross-realm TGT or making a host referral.  The 
rewritten request->server is used as the reply server.

In 1.11, we replaced this logic with a call to a helper function 
search_sprinc(), after which we unconditionally rewrite request->server.  
This is fine if search_sprinc() elected to return an alternate TGT or a 
TGT for a host referral, but is incorrect if request->server was simply 
an alias.

A minimal fix is to only rewrite request->server if search_sprinc() 
returned a TGT.  In the long term, we want to separate the reply server 
from the request server so we aren't rewriting the request, but we still 
need to apply the same rules for when we make the reply server different 
from the request server.