From f07ee072883ffa4015abb671ea15d585539992b8 Mon Sep 17 00:00:00 2001 From: Chaskiel Grundman Date: Mon, 7 Jul 2014 12:35:43 -0400 Subject: [PATCH] Use anon realm for anonymous PKINIT When an AS request names the anonymous principal, use the anonymous realm in the response and ticket. --- kdc/kerberos5.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index ba0776961..f93a0108b 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1872,7 +1872,11 @@ _kdc_as_rep(kdc_request_t r, rep.pvno = 5; rep.msg_type = krb_as_rep; - ret = copy_Realm(&r->client->entry.principal->realm, &rep.crealm); + if (_kdc_is_anonymous(context, r->client_princ)) { + Realm anon_realm=KRB5_ANON_REALM; + ret = copy_Realm(&anon_realm, &rep.crealm); + } else + ret = copy_Realm(&r->client->entry.principal->realm, &rep.crealm); if (ret) goto out; ret = _krb5_principal2principalname(&rep.cname, r->client->entry.principal);