From fd209c5dca89e599f24a853cc9e9a55dc2d04f4c Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 7 May 2019 13:54:10 +1000
Subject: [PATCH] krb5: set PKINIT_BTMM flag per Apple implementation

---
 lib/krb5/pkinit.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 423397a91..3079b81ed 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -2380,6 +2380,11 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 	opt->opt_private->pk_init_ctx = NULL;
 	return ret;
     }
+    if (flags & KRB5_GIC_OPT_PKINIT_BTMM)
+	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
+
+    if (principal && krb5_principal_is_lkdc(context, principal))
+	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
 
     if (opt->opt_private->pk_init_ctx->id->certs) {
 	_krb5_pk_set_user_id(context,