Put KDB authdata first

Windows services, as well as some versions of Samba, may refuse tickets if the PAC is not in the first AD-IF-RELEVANT container. In fetch_kdb_authdata(), change the merge order so that authdata from the KDB module appears first. [ghudson@mit.edu: added comment and clarified commit message] (cherry picked from commit 331fa4b) ticket: 8872 version_fixed: 1.17.2
krb5 · Feb 10, 2020 · 813ef2b · 813ef2b
1 parent 45ec4ac
commit 813ef2b
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
@@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
     if (ret)
         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 
-    /* Add the KDB authdata to the ticket, without copying or filtering. */
-    ret = merge_authdata(context, db_authdata,
-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
+    /* Put the KDB authdata first in the ticket.  A successful merge places the
+     * combined list in db_authdata and releases the old ticket authdata. */
+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+                         &db_authdata, FALSE, FALSE);
     if (ret)
         krb5_free_authdata(context, db_authdata);
+    else
+        enc_tkt_reply->authorization_data = db_authdata;
     return ret;
 }