3 files changed, 30 insertions, 6 deletions

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 0d93253f999..424a8b81c38 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -271,7 +271,3 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
-#
-# Kpasswd tests
-#
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c2a31b4a140..0d2f5bab6d2 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -581,5 +581,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc
diff --git a/source4/kdc/kpasswd-service.c b/source4/kdc/kpasswd-service.c
index 0d2acd8d9e8..b6400be0c49 100644
--- a/source4/kdc/kpasswd-service.c
+++ b/source4/kdc/kpasswd-service.c
@@ -29,6 +29,7 @@
 #include "kdc/kdc-server.h"
 #include "kdc/kpasswd-service.h"
 #include "kdc/kpasswd-helper.h"
+#include "param/param.h"
 
 #define HEADER_LEN 6
 #ifndef RFC3244_VERSION
@@ -158,6 +159,20 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
 
 	cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
 
+	/*
+	 * After calling cli_credentials_set_conf(), explicitly set the realm
+	 * with CRED_SPECIFIED. We need to do this so the result of
+	 * principal_from_credentials() called from the gensec layer is
+	 * CRED_SPECIFIED rather than CRED_SMB_CONF, avoiding a fallback to
+	 * match-by-key (very undesirable in this case).
+	 */
+	ok = cli_credentials_set_realm(server_credentials,
+				       lpcfg_realm(kdc->task->lp_ctx),
+				       CRED_SPECIFIED);
+	if (!ok) {
+		goto done;
+	}
+
 	ok = cli_credentials_set_username(server_credentials,
 					  "kadmin/changepw",
 					  CRED_SPECIFIED);
@@ -165,6 +180,21 @@ kdc_code kpasswd_process(struct kdc_server *kdc,
 		goto done;
 	}
 
+	/* Check that the server principal is indeed CRED_SPECIFIED. */
+	{
+		char *principal = NULL;
+		enum credentials_obtained obtained;
+
+		principal = cli_credentials_get_principal_and_obtained(server_credentials,
+								       tmp_ctx,
+								       &obtained);
+		if (obtained < CRED_SPECIFIED) {
+			goto done;
+		}
+
+		TALLOC_FREE(principal);
+	}
+
 	rv = cli_credentials_set_keytab_name(server_credentials,
 					     kdc->task->lp_ctx,
 					     kdc->kpasswd_keytab_name,