Fix transited handling for GSSAPI acceptors

The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter.  If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.

To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.

Based on a bug report and patch from nalin@redhat.com.

ticket: 7639
target_version: 1.11.3
tags: pullup

1 files changed, 13 insertions, 0 deletions

diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index de778cc910..5583b0247f 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -110,6 +110,19 @@ if 'host/-nomatch-' not in output:
 
 realm.stop()
 
+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
+# transited field.  (Regression test for #7639.)
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+                          create_user=False, create_host=False,
+                          args=[{'realm': 'A.X', 'create_user': True},
+                                {'realm': 'X'},
+                                {'realm': 'B.X', 'create_host': True}])
+os.rename(r3.keytab, r1.keytab)
+r1.run(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
+r1.stop()
+r2.stop()
+r3.stop()
+
 ### Test gss_inquire_cred behavior.
 
 realm = K5Realm()