From 6b635f66de08b5972366ac63e298d9672a3cae76 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 16 Dec 2021 16:05:07 +1100
Subject: [PATCH] kdc: fix regression when validating armor client

Resolving the FAST armor client principal must use the same logic as the AS
itself. Allow synthetic client principals when validating FAST armor TGTs.
---
 kdc/fast.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kdc/fast.c b/kdc/fast.c
index 3ff95e98a..33852e8be 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -695,7 +695,7 @@ fast_unwrap_request(astgs_request_t r,
 	    goto out;
 
 	ret = _kdc_db_fetch(r->context, r->config, armor_client_principal,
-			    HDB_F_GET_CLIENT | flags,
+			    HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags,
 			    NULL, NULL, &armor_client);
 	if (ret) {
 	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-- 
2.11.4.GIT