Ticket History #7698: Service principal aliases broken in 1.11 KDC

RFC 6806 section 6 specifies that when a client makes a TGS request for
the alias name of a server, the KDC must issue a ticket which appears to
be for the alias, not for the canonical name. We implement this
correctly up through 1.10, but in 1.11 we issue a ticket for the
canonical name, which clients will typically reject.

In 1.10, there is a complicated piece of open-coded KDC logic for
looking up the service principal. It rewrites request->server if we are
returning an alternate cross-realm TGT or making a host referral. The
rewritten request->server is used as the reply server.

In 1.11, we replaced this logic with a call to a helper function
search_sprinc(), after which we unconditionally rewrite request->server.
This is fine if search_sprinc() elected to return an alternate TGT or a
TGT for a host referral, but is incorrect if request->server was simply
an alias.

A minimal fix is to only rewrite request->server if search_sprinc()
returned a TGT. In the long term, we want to separate the reply server
from the request server so we aren't rewriting the request, but we still
need to apply the same rules for when we make the reply server different
from the request server.

Don't treat local krbtgt principal as referral

If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.

https://github.com/krb5/krb5/commit/22f00f6b8233fa281e5aad854789bd14abdda91b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 22f00f6b8233fa281e5aad854789bd14abdda91b
Branch: master
src/kdc/do_tgs_req.c | 15 +++++++--------
1 files changed, 7 insertions(+), 8 deletions(-)