From 82cabae196eae2e7937264e0357d287ddd301e4f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Apr 07 2017 16:13:00 +0000
Subject: Fix use of enterprise principals with forwarding


---

diff --git a/Add-the-client_name-kdcpreauth-callback.patch b/Add-the-client_name-kdcpreauth-callback.patch
new file mode 100644
index 0000000..96ae084
--- /dev/null
+++ b/Add-the-client_name-kdcpreauth-callback.patch
@@ -0,0 +1,58 @@
+From 5d560c28ff46b04013ab64dc51a7d912d38b01de Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Tue, 4 Apr 2017 16:54:56 -0400
+Subject: [PATCH] Add the client_name() kdcpreauth callback
+
+Add a kdcpreauth callback to returns the canonicalized client principal.
+
+ticket: 8570 (new)
+(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1)
+---
+ src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
+ src/kdc/kdc_preauth.c                | 9 ++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
+index 92aa5a5a5..fa4436b83 100644
+--- a/src/include/krb5/kdcpreauth_plugin.h
++++ b/src/include/krb5/kdcpreauth_plugin.h
+@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
+                                  krb5_kdcpreauth_rock rock,
+                                  krb5_principal princ);
+ 
++    /*
++     * Get an alias to the client DB entry principal (possibly canonicalized).
++     */
++    krb5_principal (*client_name)(krb5_context context,
++                                  krb5_kdcpreauth_rock rock);
++
+     /* End of version 4 kdcpreauth callbacks. */
+ 
+ } *krb5_kdcpreauth_callbacks;
+diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
+index 0ce79c667..81d0b8cff 100644
+--- a/src/kdc/kdc_preauth.c
++++ b/src/kdc/kdc_preauth.c
+@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
+     return match;
+ }
+ 
++static krb5_principal
++client_name(krb5_context context, krb5_kdcpreauth_rock rock)
++{
++    return rock->client->princ;
++}
++
+ static struct krb5_kdcpreauth_callbacks_st callbacks = {
+     4,
+     max_time_skew,
+@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
+     add_auth_indicator,
+     get_cookie,
+     set_cookie,
+-    match_client
++    match_client,
++    client_name
+ };
+ 
+ static krb5_error_code
diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch
new file mode 100644
index 0000000..1cc6163
--- /dev/null
+++ b/Use-the-canonical-client-principal-name-for-OTP.patch
@@ -0,0 +1,29 @@
+From ca74a8a49f4a05c0b602c9dc473fd16fe71847fd Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Wed, 5 Apr 2017 16:48:55 -0400
+Subject: [PATCH] Use the canonical client principal name for OTP
+
+In the OTP module, when constructing the RADIUS request, use the
+canonicalized client principal (using the new client_name kdcpreauth
+callback) instead of the request client principal.
+
+ticket: 8571 (new)
+(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
+---
+ src/plugins/preauth/otp/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
+index 2649e9a90..a1b681682 100644
+--- a/src/plugins/preauth/otp/main.c
++++ b/src/plugins/preauth/otp/main.c
+@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+ 
+     /* Send the request. */
+     otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
+-                     request->client, config, req, on_response, rs);
++                     cb->client_name(context, rock), config, req, on_response,
++                     rs);
+     cb->free_string(context, rock, config);
+ 
+     k5_free_pa_otp_req(context, req);
diff --git a/krb5.spec b/krb5.spec
index 79824bd..1b43117 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
 # for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 3%{?dist}
+Release: 4%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -69,6 +69,8 @@ Patch18: Add-test-cert-generation-to-make-certs.sh.patch
 Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
 Patch20: Deindent-crypto_retrieve_X509_sans.patch
 Patch21: Add-certauth-pluggable-interface.patch
+Patch22: Add-the-client_name-kdcpreauth-callback.patch
+Patch23: Use-the-canonical-client-principal-name-for-OTP.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -719,6 +721,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4
+- Fix use of enterprise principals with forwarding
+
 * Wed Mar 22 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-3
 - Backport certauth plugin and related pkinit changes