From 2f013b0d48552b263f5e90279692f55e152ba060 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Wed, 1 May 2019 16:32:44 +1000
Subject: [PATCH] kdc: fix compliance with RFC 8062 Section 4.1

RFC 8062 states that if the client in the AS request is anonymous, the
anonymous KDC option must be set in the request; otherwise, KDC_ERR_BADOPTION
must be returned. We were previously returning KDC_ERR_C_PRINCIPAL_UNKNOWN.
---
 kdc/kerberos5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 33a4127ef..d189b7783 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1763,7 +1763,7 @@ _kdc_as_rep(kdc_request_t r,
     if (_kdc_is_anonymous(context, r->client_princ)) {
 	if (!_kdc_is_anon_request(b)) {
 	    kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
-	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    ret = KRB5KDC_ERR_BADOPTION;
 	    goto out;
 	}
     } else if (_kdc_is_anon_request(b)) {
-- 
2.11.4.GIT