Index: accept_sec_context.c
===================================================================
RCS file: /opt/cvs/krb5/src/lib/gssapi/krb5/accept_sec_context.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- accept_sec_context.c	25 Aug 2004 14:05:08 -0000	1.1.1.1
+++ accept_sec_context.c	25 Aug 2004 16:11:17 -0000	1.2
@@ -388,11 +388,39 @@
        goto fail;
    }
 
-   if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
+   if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
 			   cred->keytab, NULL, &ticket))) {
        major_status = GSS_S_FAILURE;
        goto fail;
    }
+/*
+ * Allow for lax checking of the princ name. This will allow
+ * us to have ssh and ftp use any of the tickets in the 
+ * keytab, as we change from dce.anl.gov to KRB5.ANL.GOV
+ * rlogin already allows this. We will check all but realm.
+ */
+   if ( cred->princ && ticket->server) {
+               int i;
+               int nelem; 
+               nelem = krb5_princ_size(context, cred->princ);
+               if (nelem == krb5_princ_size(context,ticket->server)) {
+                       for (i = 0; i < nelem; i++) {
+                               register const krb5_data *p1 = 
+                                       krb5_princ_component(context, cred->princ ,i);
+                               register const krb5_data *p2 = 
+                                       krb5_princ_component(context, ticket->server, i);
+                               if (p1->length != p2->length ||
+                                               memcmp(p1->data, p2->data, p1->length)) {
+                                       major_status = GSS_S_FAILURE;
+                                       goto fail;
+                               }
+                       }
+               } else {
+                       major_status = GSS_S_FAILURE;
+                       goto fail;
+               }
+   }
+
    krb5_auth_con_setflags(context, auth_context,
 			  KRB5_AUTH_CONTEXT_DO_SEQUENCE);