From 10f3ab0f2abd6509db7eb8972d870c2fb39aecca Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@twosigma.com>
Date: Mon, 10 Apr 2017 21:25:11 +0000
Subject: [PATCH] Never store TGT "aliases"

When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
---
 lib/krb5/get_cred.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index f7318eeb2..55eed312e 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -1218,7 +1218,8 @@ static void
 store_cred(krb5_context context, krb5_ccache ccache,
 	   krb5_const_principal server_princ, krb5_creds *creds)
 {
-    if (!krb5_principal_compare(context, creds->server, server_princ)) {
+    if (!krb5_principal_compare(context, creds->server, server_princ) &&
+        !krb5_principal_is_krbtgt(context, server_princ)) {
         krb5_principal tmp_princ = creds->server;
         /*
          * Store the cred with the pre-canon server princ first so it