From c007ac0d70ff7a3a4867a0316735e8cab9e34021 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Tue, 27 Mar 2012 14:24:12 -0400
Subject: Fix MS-PAC checks when using s4u2proxy

We were using the wrong principal in the s4u2proxy case.

Fixes: https://fedorahosted.org/freeipa/ticket/2504
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'daemons/ipa-kdb')

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 7f2e5866..c59dcbb3 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -762,11 +762,13 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     krb5_pac pac = NULL;
     krb5_data pac_data;
 
-    /* Prefer canonicalised name from client entry */
-    if (client != NULL) {
-        ks_client_princ = client->princ;
-    } else {
+    /* When using s4u2proxy client_princ actually refers to the proxied user
+     * while client->princ to the proxy service asking for the TGS on behalf
+     * of the proxied user. So always use client_princ in preference */
+    if (client_princ != NULL) {
         ks_client_princ = client_princ;
+    } else {
+        ks_client_princ = client->princ;
     }
 
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
-- 
cgit