From Luke: fix the post-canonicalization cache check logic in

krb5_get_credentials_for_user().

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23927 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 11 insertions, 5 deletions

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 02485e851..da6dd0c99 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -685,11 +685,17 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
     if (code != 0)
         goto cleanup;
 
-    code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
-                                ccache, in_creds, out_creds);
-    if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
-        || options & KRB5_GC_CACHED)
-        goto cleanup;
+    if (in_creds->client != NULL &&
+        in_creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+       /* Post-canonicalisation check for enterprise principals */
+       krb5_creds mcreds = *in_creds;
+       mcreds.client = realm;
+       code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
+                                   ccache, &mcreds, out_creds);
+       if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
+           || (options & KRB5_GC_CACHED))
+           goto cleanup;
+    }
 
     code = krb5_get_self_cred_from_kdc(context, options, ccache,
                                        in_creds, subject_cert,