From 684821fc68fd27ddcc5f809a37819edd35365a9d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 1 Feb 2020 16:13:30 +0100 Subject: [PATCH] Put KDB authdata first Windows services, as well as some versions of Samba, may refuse tickets if the PAC is not in the first AD-IF-RELEVANT container. In fetch_kdb_authdata(), change the merge order so that authdata from the KDB module appears first. [ghudson@mit.edu: added comment and clarified commit message] ticket: 8872 (new) tags: pullup target_version: 1.18 target_version: 1.17-next (cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa) (cherry picked from commit 1678270de3fda699114122447b1f06b08fb4e53e) --- src/kdc/kdc_authdata.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 1b067cb0b..616c3eadc 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, if (ret) return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret; - /* Add the KDB authdata to the ticket, without copying or filtering. */ - ret = merge_authdata(context, db_authdata, - &enc_tkt_reply->authorization_data, FALSE, FALSE); + /* Put the KDB authdata first in the ticket. A successful merge places the + * combined list in db_authdata and releases the old ticket authdata. */ + ret = merge_authdata(context, enc_tkt_reply->authorization_data, + &db_authdata, FALSE, FALSE); if (ret) krb5_free_authdata(context, db_authdata); + else + enc_tkt_reply->authorization_data = db_authdata; return ret; }