* kdc_preauth.c (get_sam_edata): Use proper interface to

		krb5_db_get_principal. Also if SAM is not an option, do
		not return as a possible type to client. [krb5-kdc/310]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9712 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 13 insertions, 2 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 190c4f3c5..679351671 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,9 @@
+Wed Jan  1 22:56:16 1997  Ezra Peisach  <epeisach@mit.edu>
+
+	* kdc_preauth.c (get_sam_edata): Use proper interface to
+		krb5_db_get_principal. Also if SAM is not an option, do
+		not return as a possible type to client. [krb5-kdc/310]
+
 Sat Nov 23 17:26:22 1996  Mark Eichin  <eichin@kitten.gen.ma.us>
 
 	* [krb5-libs/149] only generate requests that you can actually
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index dd8d09b8b..6baaa27d1 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -637,7 +637,8 @@ get_sam_edata(context, request, client, server, pa_data)
 
     {
       char *uname;
-      int npr = 1, more;
+      int npr = 1;
+      krb5_boolean more;
       krb5_db_entry assoc;
       krb5_key_data  *assoc_key;
       krb5_principal newp;
@@ -663,7 +664,7 @@ get_sam_edata(context, request, client, server, pa_data)
 	  strlen(sam_ptr->name);
 	npr = 1;
 	retval = krb5_db_get_principal(kdc_context, newp, &assoc, &npr, &more);
-	if(!retval) {
+	if(!retval && npr) {
 	  sc.sam_type = sam_ptr->sam_type;
 	  break;
 	}
@@ -697,6 +698,10 @@ get_sam_edata(context, request, client, server, pa_data)
 	  }
 	  /* now we can use encrypting_key... */
 	}
+      } else {
+	  /* SAM is not an option - so don't return as hint */
+	  retval = KRB5_PREAUTH_BAD_TYPE;
+	  goto cleanup;
       }
 
       krb5_princ_component(kdc_context,newp,probeslot)->data = 0;