[krbdev.mit.edu #7639] git commit

[Tom Yu via RT]

Fix transited handling for GSSAPI acceptors

The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter.  If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.

To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.

Based on a bug report and patch from nalin at redhat.com.

(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)

https://github.com/krb5/krb5/commit/b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Author: Greg Hudson <ghudson at mit.edu>
Committer: Tom Yu <tlyu at mit.edu>
Commit: b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Branch: krb5-1.11
 src/lib/krb5/krb/rd_req_dec.c |    8 +++++---
 src/tests/gssapi/t_gssapi.py  |   13 +++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)