From 4d80b16a30261be16c996b03298c13ee6b9fc2a2 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 21 Jan 2026 11:34:36 -0600
Subject: [PATCH] Revert "kdc: Fix kinit of principal aliases"

This reverts commit d2047065bd32bed524d518815ae617a849554bde.
---
 lib/hdb/common.c       | 26 ++++++++------------------
 tests/kdc/check-kdc.in | 10 ----------
 2 files changed, 8 insertions(+), 28 deletions(-)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index 9419507ad..e2d12823d 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -353,24 +353,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
                                          "same_realm_aliases_are_soft", NULL))
             return 0;
 
-        /*
-         * For client principal lookups, keep the canonical name so the
-         * client knows their true identity.  For server lookups, use the
-         * alias name so the ticket contains the name the client requested.
-         *
-         * EPNs are always soft.
-         */
-        if ((flags & HDB_F_GET_CLIENT) ||
-            principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
-            entry->flags.force_canonicalize = 1;
-            return 0;
-        }
-
-        krb5_free_principal(context, entry->principal);
-        ret = krb5_copy_principal(context, principal, &entry->principal);
-        if (ret) {
-            hdb_free_entry(context, db, entry);
-            return ret;
+        /* EPNs are always soft */
+        if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+            krb5_free_principal(context, entry->principal);
+            ret = krb5_copy_principal(context, principal, &entry->principal);
+            if (ret) {
+                hdb_free_entry(context, db, entry);
+                return ret;
+            }
         }
         return 0;
     }
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index bda43205f..a416f0a76 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -137,7 +137,6 @@ cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 add -p foo --use-defaults foo@${R}
-modify --alias=foo-alias@${R} foo@${R}
 add -p foo --use-defaults foo/host.${r}@${R}
 add -p foo --use-defaults foo@${R2}
 add -p foo --use-defaults foo@${R3}
@@ -1019,15 +1018,6 @@ env KRB5CCNAME=${cache} ${test_renew} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
-echo "checking client principal alias"; > messages.log
-${kinit} --password-file=${objdir}/foopassword foo-alias@${R} || \
-	{ ec=1 ; eval "${testfailed}"; }
-${klist} | grep "Principal: foo@${R}" > /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-echo "Getting tickets with aliased client"
-${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
-${kdestroy}
-
 echo "checking server aliases"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }