summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--daemons/ipa-kdb/ipa_kdb_mspac.c19
1 files changed, 13 insertions, 6 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 68f27f0e2..848127876 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
bool with_pad;
int result;
krb5_db_entry *client_entry = NULL;
+ krb5_boolean is_equal;
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
if (client_princ != NULL) {
ks_client_princ = client_princ;
if (!is_as_req) {
- kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
- /* If we didn't find client_princ in our database, it might be:
- * - a principal from another realm, handle it down in ipadb_get/verify_pac()
- */
- if (!kerr) {
- client_entry = NULL;
+ is_equal = false;
+ if ((client != NULL) && (client->princ != NULL)) {
+ is_equal = krb5_principal_compare(context, client_princ, client->princ);
+ }
+ if (!is_equal) {
+ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
+ /* If we didn't find client_princ in our database, it might be:
+ * - a principal from another realm, handle it down in ipadb_get/verify_pac()
+ */
+ if (kerr != 0) {
+ client_entry = NULL;
+ }
}
}
} else {
generated by cgit (git 2.34.1) at 2024-09-25 11:24:03 +0000