From 9750f2d9152abb35d36a98795b272285c468dd28 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 6 Jan 2019 18:03:07 +1100
Subject: [PATCH] hdb: force canonicalization of enterprise principal names

Whilst Windows does not canonicalize enterprise principal names if the
canonicalize flag is unset, the original specification in
draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. Non-Windows
deployments of Heimdals are unlikely to understand enterprise principal names
in tickets, and are also unlikely to set the canonicalize flag, so this makes
sense. (It was also the behavior prior to moving the name canonicalization
logic into the KDC.)
---
 lib/hdb/common.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index b15000d6a..d153e94b9 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -119,7 +119,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	if (ret)
 	    return ret;
 	principal = enterprise_principal;
-	flags |= HDB_F_CANON; /* enterprise implies canonicalization */
     }
 
     hdb_principal2key(context, principal, &key);
@@ -192,6 +191,14 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
 	    }
 	}
     }
+    if (enterprise_principal) {
+	/*
+	 * Whilst Windows does not canonicalize enterprise principal names if
+	 * the canonicalize flag is unset, the original specification in
+	 * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
+	 */
+	entry->entry.flags.force_canonicalize = 1;
+    }
 
     return 0;
 }