From d2047065bd32bed524d518815ae617a849554bde Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 20 Jan 2026 13:48:25 -0600
Subject: [PATCH] kdc: Fix kinit of principal aliases

---
 lib/hdb/common.c       | 26 ++++++++++++++++++--------
 tests/kdc/check-kdc.in | 10 ++++++++++
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index e2d12823d..9419507ad 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -353,14 +353,24 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
                                          "same_realm_aliases_are_soft", NULL))
             return 0;
 
-        /* EPNs are always soft */
-        if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
-            krb5_free_principal(context, entry->principal);
-            ret = krb5_copy_principal(context, principal, &entry->principal);
-            if (ret) {
-                hdb_free_entry(context, db, entry);
-                return ret;
-            }
+        /*
+         * For client principal lookups, keep the canonical name so the
+         * client knows their true identity.  For server lookups, use the
+         * alias name so the ticket contains the name the client requested.
+         *
+         * EPNs are always soft.
+         */
+        if ((flags & HDB_F_GET_CLIENT) ||
+            principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+            entry->flags.force_canonicalize = 1;
+            return 0;
+        }
+
+        krb5_free_principal(context, entry->principal);
+        ret = krb5_copy_principal(context, principal, &entry->principal);
+        if (ret) {
+            hdb_free_entry(context, db, entry);
+            return ret;
         }
         return 0;
     }
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index a416f0a76..bda43205f 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -137,6 +137,7 @@ cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 cpw -r krbtgt/${R}@${R}
 add -p foo --use-defaults foo@${R}
+modify --alias=foo-alias@${R} foo@${R}
 add -p foo --use-defaults foo/host.${r}@${R}
 add -p foo --use-defaults foo@${R2}
 add -p foo --use-defaults foo@${R3}
@@ -1018,6 +1019,15 @@ env KRB5CCNAME=${cache} ${test_renew} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
+echo "checking client principal alias"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo-alias@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "Principal: foo@${R}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets with aliased client"
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
 echo "checking server aliases"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }