Patch for Bug #37687

--- heimdal-1.6~git20120403+dfsg1.orig/kdc/krb5tgs.c	2014-11-29 20:07:40.932000000 +0100
+++ heimdal-1.6~git20120403+dfsg1/kdc/krb5tgs.c	2014-11-29 20:29:03.736000000 +0100
@@ -537,6 +537,25 @@ check_constrained_delegation(krb5_contex
 	if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
 	    return 0;
 
+	/* It's also Ok if server contains REALM and delegates to itself */
+        {
+        krb5_principal tmp_princ;
+        char *tmp_spn;
+        ret = krb5_unparse_name_flags(context, server->entry.principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &tmp_spn);
+        if (!ret) {
+            ret = krb5_parse_name(context, tmp_spn, &tmp_princ);
+            free(tmp_spn);
+            if (!ret) {
+                if(krb5_realm_compare(context, tmp_princ, server->entry.principal) &&
+                   (krb5_principal_compare(context, client->entry.principal, tmp_princ) == TRUE)) {
+                   krb5_free_principal(context, tmp_princ);
+                   return 0;
+                }
+                krb5_free_principal(context, tmp_princ);
+            }
+        }
+        }
+
 	ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
 	if (ret) {
 	    krb5_clear_error_message(context);