1 files changed, 9 insertions, 12 deletions

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index 3098e8e..b3144c8 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -1007,6 +1007,11 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 
     DUMP_PRINC("gc_from_kdc: server as requested", supplied_server);
 
+    if (in_cred->second_ticket.length != 0 &&
+	(kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) {
+	kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY;
+    }
+
     /*
      * Try requesting a service ticket from our local KDC with referrals
      * turned on.  If the first referral succeeds, follow a referral-only
@@ -1028,9 +1033,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
         retval = krb5_get_cred_via_tkt(context, tgtptr,
 				       KDC_OPT_CANONICALIZE | 
 				       FLAGS2OPTS(tgtptr->ticket_flags) |  
-				       kdcopt |
-				       (in_cred->second_ticket.length ?
-					KDC_OPT_ENC_TKT_IN_SKEY : 0),
+				       kdcopt,
 				       tgtptr->addresses, in_cred, out_cred);
 	if (retval) {
 	    DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n",
@@ -1048,9 +1051,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 		     "retrying without option.\n", referral_count + 1));
 	    retval = krb5_get_cred_via_tkt(context, tgtptr,
 					   FLAGS2OPTS(tgtptr->ticket_flags) |  
-					   kdcopt |
-					   (in_cred->second_ticket.length ?
-					    KDC_OPT_ENC_TKT_IN_SKEY : 0),
+					   kdcopt,
 					   tgtptr->addresses,
 					   in_cred, out_cred);
 	    /* Whether or not that succeeded, we're done. */
@@ -1090,9 +1091,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 	    retval = krb5_get_cred_via_tkt(context, tgtptr,
 					   KDC_OPT_CANONICALIZE | 
 					   FLAGS2OPTS(tgtptr->ticket_flags) |  
-					   kdcopt |
-					   (in_cred->second_ticket.length ?
-					    KDC_OPT_ENC_TKT_IN_SKEY : 0),
+					   kdcopt,
 					   tgtptr->addresses,
 					   in_cred, out_cred);
 	    goto cleanup;
@@ -1257,9 +1256,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
     context->use_conf_ktypes = old_use_conf_ktypes;
     retval = krb5_get_cred_via_tkt(context, tgtptr,
 				   FLAGS2OPTS(tgtptr->ticket_flags) |
-				   kdcopt |
-				   (in_cred->second_ticket.length ?
-				    KDC_OPT_ENC_TKT_IN_SKEY : 0),
+				   kdcopt,
 				   tgtptr->addresses, in_cred, out_cred);
 
 cleanup: