Key *tkey_sign;
int flags = HDB_F_FOR_TGS_REQ;
+ int server_flags;
int result;
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
+ server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
+ if (b->kdc_options.enc_tkt_in_skey)
+ server_flags |= HDB_F_USER2USER_PRINCIPAL;
+
if (s == NULL) {
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
_kdc_set_const_e_text(priv, "No server in request");
_kdc_free_ent(context, serverdb, priv->server);
priv->server = NULL;
ret = _kdc_db_fetch(context, config, priv->server_princ,
- HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
+ server_flags,
NULL, &serverdb, &priv->server);
priv->serverdb = serverdb;
if (ret == HDB_ERR_NOT_FOUND_HERE) {
#define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */
#define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */
#define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */
+#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1