krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate.
2019-05-15 10:44:55 +10:00
parent c634146b14
commit 8350f34a05
3 changed files with 5 additions and 0 deletions
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -214,6 +214,7 @@ struct _krb5_get_init_creds_opt_private {
 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK	2
 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK	4
 #define KRB5_INIT_CREDS_PKINIT_KX_VALID		32
+#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK    64
    struct {
        krb5_gic_process_last_req func;
        void *ctx;