1 files changed, 19 insertions, 3 deletions

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2c2b654a6..aebef8309 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1387,6 +1387,22 @@ is_empty_crealm(krb5_error *err)
     return (err->client == NULL || err->client->realm.length == 0);
 }
 
+/* Determine whether the client realm in a KRB-ERROR does not match the
+ * requested one. */
+static krb5_boolean
+is_different_crealm(krb5_context context, krb5_error *err,
+                    krb5_const_principal sent_princ)
+{
+
+    if (is_empty_crealm(err))
+        return FALSE;
+
+    if (krb5_realm_compare(context, err->client, sent_princ))
+        return FALSE;
+
+    return TRUE;
+}
+
 /*
  * Determine whether a KRB-ERROR is a referral to another realm.
  *
@@ -1397,7 +1413,7 @@ is_empty_crealm(krb5_error *err)
  * such responses.
  */
 static krb5_boolean
-is_referral(krb5_init_creds_context ctx)
+is_referral(krb5_context context, krb5_init_creds_context ctx)
 {
     krb5_error *err = ctx->err_reply;
 
@@ -1405,7 +1421,7 @@ is_referral(krb5_init_creds_context ctx)
         return TRUE;
     if (err->error != KDC_ERR_C_PRINCIPAL_UNKNOWN)
         return FALSE;
-    return !is_empty_crealm(err);
+    return is_different_crealm(context, err, ctx->request->client);
 }
 
 static krb5_error_code
@@ -1467,7 +1483,7 @@ init_creds_step_reply(krb5_context context,
                                              ctx->preauth_to_use);
             ctx->preauth_required = TRUE;
 
-        } else if (canon_flag && is_referral(ctx)) {
+        } else if (canon_flag && is_referral(context, ctx)) {
             if (is_empty_crealm(ctx->err_reply)) {
                 /* Only WRONG_REALM referral types can reach this. */
                 code = KRB5KDC_ERR_WRONG_REALM;