From f3789f8cc5b8f047a977754109966e0182e4b061 Mon Sep 17 00:00:00 2001
From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun, 6 Jul 2014 14:37:49 -0400
Subject: [PATCH] Document logic in _krb5_is_anon_request

describe why we look at the different bits and fields
---
 kdc/kerberos5.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 757ca9af2..ba0776961 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2329,6 +2329,10 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
 krb5_boolean
 _kdc_is_anon_request(const KDC_REQ_BODY *b)
 {
+	/* some versions of heimdal use bit 14 instead of 16 for
+	   request_anonymous, as indicated in the anonymous draft prior to
+	   version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
+	   requests will have a second ticket; don't consider those anonymous */
 	return (b->kdc_options.request_anonymous ||
 		(b->kdc_options.constrained_delegation && !b->additional_tickets));
 }