From 6a1db3fb1c47405f0270c492139840447b94e00a Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 17 Jul 2016 19:50:38 -0400
Subject: [PATCH] princ type NT-UNKNOWN + "host" == NT-SRV-HST

Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".

Change-Id: I28fb619379daac827436040e701d4ab7b279852b
---
 lib/gssapi/krb5/import_name.c | 12 ++++++++----
 lib/krb5/get_cred.c           |  7 ++++++-
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c
index 716d353a4..6a362640b 100644
--- a/lib/gssapi/krb5/import_name.c
+++ b/lib/gssapi/krb5/import_name.c
@@ -88,14 +88,16 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
     krb5_const_principal p = (krb5_const_principal)targetname;
     krb5_error_code ret;
     char *hostname = NULL, *service;
+    int type;
+    const char *comp;
 
     *minor_status = 0;
 
     /* If its not a hostname */
-    if (krb5_principal_get_type(context, p) != KRB5_NT_SRV_HST &&
-	krb5_principal_get_type(context, p) != KRB5_NT_SRV_HST_NEEDS_CANON) {
-	ret = krb5_copy_principal(context, p, out);
-    } else {
+    type = krb5_principal_get_type(context, p);
+    comp = krb5_principal_get_comp_string(context, p, 0);
+    if (type == KRB5_NT_SRV_HST || type == KRB5_NT_SRV_HST_NEEDS_CANON ||
+	(type == KRB5_NT_UNKNOWN && comp != NULL && strcmp(comp, "host") == 0)) {
 	if (p->name.name_string.len == 0)
 	    return GSS_S_BAD_NAME;
 	else if (p->name.name_string.len > 1)
@@ -108,6 +110,8 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
 				      service,
 				      KRB5_NT_SRV_HST,
 				      out);
+    } else {
+	ret = krb5_copy_principal(context, p, out);
     }
 
     if (ret) {
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 527811da3..f7318eeb2 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -1478,6 +1478,8 @@ krb5_get_creds(krb5_context context,
     krb5_name_canon_iterator name_canon_iter = NULL;
     krb5_name_canon_rule_options rule_opts;
     int i;
+    int type;
+    const char *comp;
 
     memset(&in_creds, 0, sizeof(in_creds));
     in_creds.server = rk_UNCONST(inprinc);
@@ -1555,7 +1557,10 @@ next_rule:
     if (options & KRB5_GC_CACHED)
 	goto next_rule;
 
-    if (try_princ->name.name_type == KRB5_NT_SRV_HST)
+    type = krb5_principal_get_type(context, try_princ);
+    comp = krb5_principal_get_comp_string(context, try_princ, 0);
+    if ((type == KRB5_NT_SRV_HST || type == KRB5_NT_UNKNOWN) &&
+        comp != NULL && strcmp(comp, "host") == 0)
 	flags.b.canonicalize = 1;
     if (rule_opts & KRB5_NCRO_NO_REFERRALS)
 	flags.b.canonicalize = 0;