From e840681451ac7a48ab20657ba8d6ec80d4e39dd8 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sun, 15 Aug 2021 09:36:35 +1000
Subject: [PATCH] krb5: try GSS_KRB5_NT_PRINCIPAL_NAME first for PA

When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
---
 lib/gssapi/preauth/pa_common.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/gssapi/preauth/pa_common.c b/lib/gssapi/preauth/pa_common.c
index 814d1f01b..581174df4 100644
--- a/lib/gssapi/preauth/pa_common.c
+++ b/lib/gssapi/preauth/pa_common.c
@@ -138,13 +138,17 @@ _krb5_gss_pa_unparse_name(krb5_context context,
     name_buf.length = strlen(name);
     name_buf.value = name;
 
-    if (principal->name.name_type == KRB5_NT_PRINCIPAL ||
-        principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+    if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL)
         name_type = GSS_C_NT_USER_NAME;
     else
         name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
 
     major = gss_import_name(&minor, &name_buf, name_type, namep);
+    if (major == GSS_S_BAD_NAMETYPE &&
+        gss_oid_equal(name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) {
+        major = gss_import_name(&minor, &name_buf,
+                                GSS_C_NT_USER_NAME, namep);
+    }
 
     if (name != principal->name.name_string.val[0])
         krb5_xfree(name);