diff options
Diffstat (limited to 'daemons/ipa-kdb')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 7f2e58666..c59dcbb32 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -762,11 +762,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_pac pac = NULL; krb5_data pac_data; - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { + /* When using s4u2proxy client_princ actually refers to the proxied user + * while client->princ to the proxy service asking for the TGS on behalf + * of the proxied user. So always use client_princ in preference */ + if (client_princ != NULL) { ks_client_princ = client_princ; + } else { + ks_client_princ = client->princ; } is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); |