Don't treat local krbtgt principal as referral

If we look up a principal and in the KDB and get back the local TGS
principal, the KDC should treat this as an alias, not a referral, and
should therefore issue a ticket for the requested principal rather the
canonical name.

ticket: 7698

1 files changed, 7 insertions, 8 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6710912b0..6415e2880 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -217,12 +217,14 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;
-    if (krb5_is_tgs_principal(server->princ)) {
+    is_referral = krb5_is_tgs_principal(server->princ) &&
+        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
+    if (is_referral) {
         /*
-         * We may be issuing an alternate TGT or host referral, in which case
-         * we should use the canonical name in the reply.  XXX We should track
-         * the reply server separately instead of modifying request->server,
-         * but that requires a bunch of code changes.
+         * We may be issuing an alternate TGT or a referral to another realm,
+         * in which case we should use the canonical name in the reply.  XXX We
+         * should track the reply server separately instead of modifying
+         * request->server, but that requires a bunch of code changes.
          */
         krb5_free_principal(kdc_context, request->server);
         request->server = NULL;
@@ -251,9 +253,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
         setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = krb5_is_tgs_principal(server->princ) &&
-        !krb5_principal_compare(kdc_context, tgs_server, server->princ);
-
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_active_realm,
                                        request,