From 944ee4701d4b889c85122ab1999c2808627599bc Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 18 Aug 2018 00:40:30 +0300
Subject: [PATCH] mit-kdc: check_policy_as can actually be a tgs

This happens when we are called from S4U2Self flow,
and in that case kdcreq->client is NULL.
Use the name from client entry instead.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
---
 source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index de5813bde2f..81ac73582e0 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 	char *netbios_name = NULL;
 	char *realm = NULL;
 	bool password_change = false;
+	krb5_const_principal client_princ;
 	DATA_BLOB int_data = { NULL, 0 };
 	krb5_data d;
 	krb5_pa_data **e_data;
@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		return KRB5_KDB_DBNOTINITED;
 	}
 
-	if (ks_is_kadmin(context, kdcreq->client)) {
+	/* Prefer canonicalised name from client entry */
+	client_princ = client ? client->princ : kdcreq->client;
+
+	if (client_princ == NULL || ks_is_kadmin(context, client_princ)) {
 		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	}
 
@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		goto done;
 	}
 
-	code = krb5_unparse_name(context, kdcreq->client, &client_name);
+	code = krb5_unparse_name(context, client_princ, &client_name);
 	if (code) {
 		goto done;
 	}
-- 
2.14.3