From e71fb9f0ca08dbc1f03f09323d8566fbb977e869 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Nov 25 2020 08:14:12 +0000
Subject: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch


patch_name: Omit-PA_FOR_USER-if-we-can-t-compute-its-checksum.patch
present_in_specfile: true
location_in_specfile: 18

---

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index fc5c886..d8f486d 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -534,6 +534,13 @@ krb5_get_self_cred_from_kdc(krb5_context context,
         if (s4u_user.user_id.user != NULL && s4u_user.user_id.user->length) {
             code = build_pa_for_user(context, tgtptr, &s4u_user.user_id,
                                      &in_padata[1]);
+            /*
+             * If we couldn't compute the hmac-md5 checksum, send only the
+             * KRB5_PADATA_S4U_X509_USER; this will still work against modern
+             * Windows and MIT KDCs.
+             */
+            if (code == KRB5_CRYPTO_INTERNAL)
+                code = 0;
             if (code != 0) {
                 krb5_free_pa_data(context, in_padata);
                 goto cleanup;