HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a91b319c630ee84ee3494824d51a5a87519d861e..e11ad5278217989db55fb0c24cedf9246b44883f 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
               KDC_REQ_BODY *b,
               krb5_const_principal tgt_name,
               const EncTicketPart *tgt,
+              const EncTicketPart *adtgt,
               const krb5_keyblock *replykey,
               int rk_is_subkey,
               const EncryptionKey *serverkey,
@@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
     rep.pvno = 5;
     rep.msg_type = krb_tgs_rep;
 
-    et.authtime = tgt->authtime;
+    et.authtime = adtgt->authtime;
     _kdc_fix_time(&b->till);
     et.endtime = min(tgt->endtime, *b->till);
     ALLOC(et.starttime);
@@ -1480,6 +1481,7 @@ tgs_build_reply(krb5_context context,
     Realm r;
     int nloop = 0;
     EncTicketPart adtkt;
+    EncTicketPart *adtgt = tgt;
     char opt_str[128];
     int signedpath = 0;
 
@@ -2146,7 +2148,7 @@ server_lookup:
        if (rk_is_subkey == 0) {
            auth_data_key = &adtkt.key;
        }
-
+       adtgt = &adtkt;
        kdc_log(context, config, 0, "constrained delegation for %s "
                "from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
@@ -2262,6 +2264,7 @@ server_lookup:
                         b,
                         tp,
                         tgt,
+                        adtgt,
                         replykey,
                         rk_is_subkey,
                         ekey,