cleanup

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21630 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 7 insertions, 4 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 41daa68..a13b2a2 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -121,7 +121,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     krb5_authdata **kdc_issued_auth_data = NULL;    /* auth data issued by KDC */
     unsigned int c_flags = 0, s_flags = 0;	    /* client/server KDB flags */
     char *s4u_name = NULL;
-    krb5_boolean is_referral;
+    krb5_boolean is_referral = FALSE;
 
     session_key.contents = NULL;
     
@@ -256,8 +256,11 @@ tgt_again:
     if (!is_local_principal(header_enc_tkt->client))
 	setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
 
-    is_referral = krb5_is_tgs_principal(server.princ) &&
-	!krb5_principal_compare(kdc_context, tgs_server, server.princ);
+    if (krb5_is_tgs_principal(server.princ) &&
+	!krb5_principal_compare(kdc_context, tgs_server, server.princ)) {
+	assert(!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE));
+	is_referral = TRUE;
+    }
 
     /* Check for protocol transition */
     errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,
@@ -643,7 +646,7 @@ tgt_again:
 	goto cleanup;
     }
 
-    if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
+    if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
 	errcode = return_svr_referral_data(kdc_context,
 					   &server, &reply_encpart);
 	if (errcode) {