Put KDB authdata first

Windows services, as well as some versions of Samba, may refuse
tickets if the PAC is not in the first AD-IF-RELEVANT container.  In
fetch_kdb_authdata(), change the merge order so that authdata from the
KDB module appears first.

[ghudson@mit.edu: added comment and clarified commit message]

(cherry picked from commit 331fa4bdd34263ea20667a0f51338cb84357fdaa)

ticket: 8872
version_fixed: 1.17.2

1 files changed, 6 insertions, 3 deletions

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 1b067cb..616c3ea 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -383,11 +383,14 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
     if (ret)
         return (ret == KRB5_PLUGIN_OP_NOTSUPP) ? 0 : ret;
 
-    /* Add the KDB authdata to the ticket, without copying or filtering. */
-    ret = merge_authdata(context, db_authdata,
-                         &enc_tkt_reply->authorization_data, FALSE, FALSE);
+    /* Put the KDB authdata first in the ticket.  A successful merge places the
+     * combined list in db_authdata and releases the old ticket authdata. */
+    ret = merge_authdata(context, enc_tkt_reply->authorization_data,
+                         &db_authdata, FALSE, FALSE);
     if (ret)
         krb5_free_authdata(context, db_authdata);
+    else
+        enc_tkt_reply->authorization_data = db_authdata;
     return ret;
 }