From 6d1d17efed2a2e6c5510819ecabc3368915f79c9 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Mon, 5 Oct 2009 22:07:47 -0700
Subject: [PATCH] don't canonicalize names that are short then 2 name element

Since KDC will probably guess wrong on them, and doing
afs@CLIENT-REALM have too large change of actually working.
---
 lib/krb5/get_cred.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 6ec44ff14..118b2bc96 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -898,6 +898,12 @@ get_cred_kdc_referral(krb5_context context,
     int loop = 0;
     int ok_as_delegate = 1;
 
+    if (in_creds->client->name.name_string.len < 2 && !flags.b.canonicalize) {
+	krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
+			       N_("Name too short to do referals, skipping", ""));
+	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
+    }
+
     memset(&tgt, 0, sizeof(tgt));
     memset(&ticket, 0, sizeof(ticket));
 
-- 
2.11.4.GIT