From 3b0856cab2b25624deb1f6e0e67637ba96a647ac Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 23 Sep 2021 14:39:35 +1000
Subject: [PATCH] kdc: use ticket client name when signing PAC

The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
---
 kdc/kerberos5.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 69a62ecb4..c9768fc37 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1821,6 +1821,7 @@ generate_pac(astgs_request_t r, Key *skey)
     krb5_pac p = NULL;
     krb5_data data;
     uint16_t rodc_id;
+    krb5_principal client;
 
     ret = _kdc_pac_generate(r->context, r->client, &p);
     if (ret) {
@@ -1833,12 +1834,21 @@ generate_pac(astgs_request_t r, Key *skey)
 
     rodc_id = r->server->entry.kvno >> 16;
 
+    /* libkrb5 expects ticket and PAC client names to match */
+    ret = _krb5_principalname2krb5_principal(r->context, &client,
+					     r->et.cname, r->et.crealm);
+    if (ret) {
+	krb5_pac_free(r->context, p);
+	return ret;
+    }
+
     ret = _krb5_pac_sign(r->context, p, r->et.authtime,
-			 r->client->entry.principal,
+			 client,
 			 &skey->key, /* Server key */
 			 &skey->key, /* FIXME: should be krbtgt key */
 			 rodc_id,
 			 &data);
+    krb5_free_principal(r->context, client);
     krb5_pac_free(r->context, p);
     if (ret) {
 	_kdc_r_log(r, 4, "PAC signing failed for -- %s",