From b3371af1c50098730dd205f9de00c90289d3af26 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 8 Nov 2017 13:18:29 +0100
Subject: [PATCH] HEIMDAL:kdc: use the correct authtime from addtitional ticket
 for S4U2Proxy tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/heimdal/kdc/krb5tgs.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index d59eb97..5033a24 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
 	       KDC_REQ_BODY *b,
 	       krb5_const_principal tgt_name,
 	       const EncTicketPart *tgt,
+	       const EncTicketPart *adtgt,
 	       const krb5_keyblock *replykey,
 	       int rk_is_subkey,
 	       const EncryptionKey *serverkey,
@@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
     rep.pvno = 5;
     rep.msg_type = krb_tgs_rep;
 
-    et.authtime = tgt->authtime;
+    et.authtime = adtgt->authtime;
     _kdc_fix_time(&b->till);
     et.endtime = min(tgt->endtime, *b->till);
     ALLOC(et.starttime);
@@ -1480,6 +1481,7 @@ tgs_build_reply(krb5_context context,
     Realm r;
     int nloop = 0;
     EncTicketPart adtkt;
+    EncTicketPart *adtgt = tgt;
     char opt_str[128];
     int signedpath = 0;
 
@@ -2147,7 +2149,7 @@ server_lookup:
 	if (rk_is_subkey == 0) {
 	    auth_data_key = &adtkt.key;
 	}
-
+	adtgt = &adtkt;
 	kdc_log(context, config, 0, "constrained delegation for %s "
 		"from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
@@ -2263,6 +2265,7 @@ server_lookup:
 			 b,
 			 tp,
 			 tgt,
+			 adtgt,
 			 replykey,
 			 rk_is_subkey,
 			 ekey,
-- 
1.9.1