Make it possible to renew aliased service tickets

We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs.  If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.

ticket: 7699 (new)

2 files changed, 11 insertions, 3 deletions

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index e61a867d6..bc638c19b 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -389,9 +389,9 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
         match_enctype = 0;
     }
 
-    retval = kdc_get_server_key(kdc_context,
-                                apreq->ticket, 0, match_enctype, server, NULL,
-                                NULL);
+    retval = kdc_get_server_key(kdc_context, apreq->ticket,
+                                KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server,
+                                NULL, NULL);
     if (retval)
         return retval;
 
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a9471f8a..70fe58a84 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -286,6 +286,14 @@ out = realm.run([klist])
 if 'tgtalias@KRBTEST.COM\n' not in out:
     fail('After fetching tgtalias, klist is missing it')
 
+# Make sure aliases work in header tickets.
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" user')
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" krbtgt/KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
+realm.run([kvno, 'alias'])
+realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
+realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
+
 realm.stop()
 
 # Briefly test dump and load.