Fix KDC reply service principal for aliases

If a client requests a service ticket for the alias of a service
principal, RFC 6806 section 6 requires that the KDC issue a ticket
which appears to be for the alias and not for the canonical name.
After calling search_sprinc(), only replace request->server with
server->princ if the latter is a TGT; this will be the case for an
alternate cross-realm TGT or a host referral, but not for a simple
service alias.

ticket: 7698
target_version: 1.11.4
tags: pullup

1 files changed, 15 insertions, 8 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2d5fceed94..6710912b00 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,14 +217,21 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    /* XXX until nothing depends on request being mutated */
-    krb5_free_principal(kdc_context, request->server);
-    request->server = NULL;
-    errcode = krb5_copy_principal(kdc_context, server->princ,
-                                  &request->server);
-    if (errcode != 0) {
-        status = "COPYING RESOLVED SERVER";
-        goto cleanup;
+    if (krb5_is_tgs_principal(server->princ)) {
+        /*
+         * We may be issuing an alternate TGT or host referral, in which case
+         * we should use the canonical name in the reply.  XXX We should track
+         * the reply server separately instead of modifying request->server,
+         * but that requires a bunch of code changes.
+         */
+        krb5_free_principal(kdc_context, request->server);
+        request->server = NULL;
+        errcode = krb5_copy_principal(kdc_context, server->princ,
+                                      &request->server);
+        if (errcode != 0) {
+            status = "COPYING RESOLVED SERVER";
+            goto cleanup;
+        }
     }
 
     if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {