From 020f2c733e5bd03206ab602070b1f5b1f5158024 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 17 Jul 2016 17:53:34 -0400
Subject: [PATCH] kdc: principals of type NT-UNKNOWN can be anonymous

The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.

Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048
---
 kdc/kerberos5.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e9a5b79e7..d7662658f 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1544,7 +1544,8 @@ generate_pac(kdc_request_t r, Key *skey)
 krb5_boolean
 _kdc_is_anonymous(krb5_context context, krb5_principal principal)
 {
-    if (principal->name.name_type != KRB5_NT_WELLKNOWN ||
+    if ((principal->name.name_type != KRB5_NT_WELLKNOWN &&
+	 principal->name.name_type != KRB5_NT_UNKNOWN) ||
 	principal->name.name_string.len != 2 ||
 	strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
 	strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)