From 684821fc68fd27ddcc5f809a37819edd35365a9d Mon Sep 17 00:00:00 2001

From: Isaac Boukris <iboukris@gmail.com>

Date: Sat, 1 Feb 2020 16:13:30 +0100

Subject: [PATCH] Put KDB authdata first

Windows services, as well as some versions of Samba, may refuse

tickets if the PAC is not in the first AD-IF-RELEVANT container.  In

fetch_kdb_authdata(), change the merge order so that authdata from the

KDB module appears first.

[ghudson@mit.edu: added comment and clarified commit message]

ticket: 8872 (new)

tags: pullup

target_version: 1.18

target_version: 1.17-next

(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)

(cherry picked from commit 1678270de3fda699114122447b1f06b08fb4e53e)

---

 src/kdc/kdc_authdata.c | 9 ++++++---

 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c

index 1b067cb0b..616c3eadc 100644

--- a/src/kdc/kdc_authdata.c

+++ b/src/kdc/kdc_authdata.c

@@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,

     if (ret)

         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;

-    /* Add the KDB authdata to the ticket, without copying or filtering. */

-    ret = merge_authdata(context, db_authdata,

-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);

+    /* Put the KDB authdata first in the ticket.  A successful merge places the

+     * combined list in db_authdata and releases the old ticket authdata. */

+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,

+                         &db_authdata, FALSE, FALSE);

     if (ret)

         krb5_free_authdata(context, db_authdata);

+    else

+        enc_tkt_reply->authorization_data = db_authdata;

     return ret;

 }