s3:libads: Do not turn on canonicalization flag for MIT Kerberos

This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)

Autobuild-User(v4-10-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144

1 files changed, 15 insertions, 0 deletions

diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 67bc2f4640d..028b0dcfa65 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 	krb5_get_init_creds_opt_set_win2k(context, opts, true);
 	krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
 #else /* MIT */
+#if 0
+	/*
+	 * FIXME
+	 *
+	 * Due to an upstream MIT Kerberos bug, this feature is not
+	 * not working. Affection versions (2019-10-09): <= 1.17
+	 *
+	 * Reproducer:
+	 * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
+	 *
+	 * This is NOT a problem if the service is a krbtgt.
+	 *
+	 * https://bugzilla.samba.org/show_bug.cgi?id=14155
+	 */
 	krb5_get_init_creds_opt_set_canonicalize(opts, true);
+#endif
 #endif /* MIT */
 
     /* note that heimdal will fill in the local addresses if the addresses