kdc: fix regression when validating armor client

Resolving the FAST armor client principal must use the same logic as the AS itself. Allow synthetic client principals when validating FAST armor TGTs.
2021-12-16 16:05:07 +11:00
parent b8c58191dc
commit 6b635f66de
1 changed files with 1 additions and 1 deletions
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -695,7 +695,7 @@ fast_unwrap_request(astgs_request_t r,
 	    goto out;

 	ret = _kdc_db_fetch(r->context, r->config, armor_client_principal,
-			    HDB_F_GET_CLIENT | flags,
+			    HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags,
 			    NULL, NULL, &armor_client);
 	if (ret) {
 	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;