From 9bed96d3878910eb810b8337e7f707a4a3493e96 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 25 Jul 2011 09:23:52 +0200
Subject: [PATCH] lib/krb5: windows KDCs always return the canoncalized server
 principal

Is there a better way to handle this?

metze
---
 lib/krb5/get_cred.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 87add0527..3b69f9d3b 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -557,6 +557,11 @@ get_cred_kdc(krb5_context context,
 	/* this should go someplace else */
 	out_creds->times.endtime = in_creds->times.endtime;
 
+	/*
+	 * Windows KDCs always canonicalize the server name
+	 */
+	eflags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+
 	/* XXX should do better testing */
 	if (flags.b.cname_in_addl_tkt || impersonate_principal)
 	    eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
-- 
2.34.1