kdc: Fix kinit of principal aliases

2026-01-20 13:48:25 -06:00
parent b02d4d4569
commit d2047065bd
2 changed files with 28 additions and 8 deletions
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -353,14 +353,24 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
                                         "same_realm_aliases_are_soft", NULL))
            return 0;

-        /* EPNs are always soft */
-        if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
-            krb5_free_principal(context, entry->principal);
-            ret = krb5_copy_principal(context, principal, &entry->principal);
-            if (ret) {
-                hdb_free_entry(context, db, entry);
-                return ret;
-            }
+        /*
+         * For client principal lookups, keep the canonical name so the
+         * client knows their true identity.  For server lookups, use the
+         * alias name so the ticket contains the name the client requested.
+         *
+         * EPNs are always soft.
+         */
+        if ((flags & HDB_F_GET_CLIENT) ||
+            principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+            entry->flags.force_canonicalize = 1;
+            return 0;
+        }
+
+        krb5_free_principal(context, entry->principal);
+        ret = krb5_copy_principal(context, principal, &entry->principal);
+        if (ret) {
+            hdb_free_entry(context, db, entry);
+            return ret;
        }
        return 0;
    }
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -137,6 +137,7 @@ cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 add -p foo --use-defaults foo@${R}
+modify --alias=foo-alias@${R} foo@${R}
 add -p foo --use-defaults foo/host.${r}@${R}
 add -p foo --use-defaults foo@${R2}
 add -p foo --use-defaults foo@${R3}
@@ -1018,6 +1019,15 @@ env KRB5CCNAME=${cache} ${test_renew} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}

+echo "checking client principal alias"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo-alias@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets with aliased client"
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
 echo "checking server aliases"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }