Revert "kdc: Fix kinit of principal aliases"

This reverts commit d2047065bd.
2026-01-21 11:34:36 -06:00
parent 253a001ebc
commit 4d80b16a30
2 changed files with 8 additions and 28 deletions
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -353,24 +353,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
                                         "same_realm_aliases_are_soft", NULL))
            return 0;

-        /*
-         * For client principal lookups, keep the canonical name so the
-         * client knows their true identity.  For server lookups, use the
-         * alias name so the ticket contains the name the client requested.
-         *
-         * EPNs are always soft.
-         */
-        if ((flags & HDB_F_GET_CLIENT) ||
-            principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
-            entry->flags.force_canonicalize = 1;
-            return 0;
-        }
-
-        krb5_free_principal(context, entry->principal);
-        ret = krb5_copy_principal(context, principal, &entry->principal);
-        if (ret) {
-            hdb_free_entry(context, db, entry);
-            return ret;
+        /* EPNs are always soft */
+        if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+            krb5_free_principal(context, entry->principal);
+            ret = krb5_copy_principal(context, principal, &entry->principal);
+            if (ret) {
+                hdb_free_entry(context, db, entry);
+                return ret;
+            }
        }
        return 0;
    }
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -137,7 +137,6 @@ cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 add -p foo --use-defaults foo@${R}
-modify --alias=foo-alias@${R} foo@${R}
 add -p foo --use-defaults foo/host.${r}@${R}
 add -p foo --use-defaults foo@${R2}
 add -p foo --use-defaults foo@${R3}
@@ -1019,15 +1018,6 @@ env KRB5CCNAME=${cache} ${test_renew} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}

-echo "checking client principal alias"; > messages.log
-${kinit} --password-file=${objdir}/foopassword foo-alias@${R} || \
-	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "Principal: foo@${R}" > /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-echo "Getting tickets with aliased client"
-${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
-${kdestroy}
-
 echo "checking server aliases"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }