From f03983b64d82da4ae8e2b510ebb6ad3f454d0c4d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 8 Jun 2021 14:59:09 +1200
Subject: [PATCH] HEIMDAL: Require armor_server to be a krbtgt name, not just a
 server name

Samba has a different lookup path for krbtgt/ principals.

armor_server is in this case the same as the server in a normal
TGS-REQ, just inside the FAST armor, so needs to have the same
lookup properties as the TGS-REQ does.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 kdc/fast.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kdc/fast.c b/kdc/fast.c
index aacd7b743..af232f88e 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -429,7 +429,8 @@ _kdc_fast_unwrap_request(astgs_request_t r)
     }
 
     ret = _kdc_db_fetch(r->context, r->config, armor_server,
-			HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS,
+			HDB_F_GET_KRBTGT
+			| HDB_F_DELAY_NEW_KEYS,
 			NULL, NULL, &armor_user);
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	kdc_log(r->context, r->config, 5,