kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

[jsutton@samba.org Backported from Heimdal commit
 f1dd2b818aa0866960945edea02a6bc782ed697c
 - Removed change to _kdc_find_etype() use_strongest_session_key
 parameter since Samba's Heimdal version uses different logic
]

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 7b17d2539cef0ca8242c433b8bd3e2a81de62639..d1fd201113b403cfd36848141599384489fabe7e 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -983,6 +983,7 @@ _kdc_as_rep(krb5_context context,
     pk_client_params *pkp = NULL;
 #endif
     const EncryptionKey *pk_reply_key = NULL;
+    krb5_boolean is_tgs;
 
     memset(&rep, 0, sizeof(rep));
     memset(&session_key, 0, sizeof(session_key));
@@ -1033,6 +1034,8 @@ _kdc_as_rep(krb5_context context,
     kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
            client_name, from, server_name);
 
+    is_tgs = krb5_principal_is_krbtgt(context, server_princ);
+
     /*
      *
      */
@@ -1101,7 +1104,7 @@ _kdc_as_rep(krb5_context context,
        goto out;
     }
     ret = _kdc_db_fetch(context, config, server_princ,
-                       HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
+                       HDB_F_GET_SERVER | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
                        NULL, NULL, &server);
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
        kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);