Skip Menu |

Subject: git commit

Verify PAC client name independently of name-type

In krb5_pac_verify(), unparse the provided principal name and compare
using strcmp(), instead of parsing pac principal, in order to avoid
relying on the provided name type.

This change is needed for tickets issued with cross-realm S4U2Proxy
(with resource-based constrained delegation), because the final
request uses a cross-TGT as the evidence ticket, so the ticket client
name is taken from the PAC and does not preserve the name type.
Microsoft KDCs use NT-MS-PRINCIPAL as the ticket client name type in
this case, regardless of the original name type.

[ rewrote commit message; made minor style edits]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: e935913a4dc9461c129e373bfd752e8a6c795e28
Branch: master
src/lib/krb5/krb/pac.c | 29 +++++++-------------------
src/lib/krb5/krb/t_pac.c | 49 +++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 22 deletions(-)