krb5 commit [krb5-1.18]: Put KDB authdata first

Mon Feb 10 17:14:49 EST 2020

https://github.com/krb5/krb5/commit/ca0e1e9c663db20823130df5ee9d7b2d3a879fbe
commit ca0e1e9c663db20823130df5ee9d7b2d3a879fbe
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Feb 1 16:13:30 2020 +0100

    Put KDB authdata first
    
    Windows services, as well as some versions of Samba, may refuse
    tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
    fetch_kdb_authdata(), change the merge order so that authdata from the
    KDB module appears first.
    
    [ghudson at mit.edu: added comment and clarified commit message]
    
    (cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)
    
    ticket: 8872
    version_fixed: 1.18

 src/kdc/kdc_authdata.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index a18e4b4..1ebe872 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -372,11 +372,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
     if (ret)
         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 
-    /* Add the KDB authdata to the ticket, without copying or filtering. */
-    ret = merge_authdata(context, db_authdata,
-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
+    /* Put the KDB authdata first in the ticket.  A successful merge places the
+     * combined list in db_authdata and releases the old ticket authdata. */
+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+                         &db_authdata, FALSE, FALSE);
     if (ret)
         krb5_free_authdata(context, db_authdata);
+    else
+        enc_tkt_reply->authorization_data = db_authdata;
     return ret;
 }
 
