From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 19 Mar 2025 23:22:34 +0000 (+0100)
Subject: third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df... 
X-Git-Tag: tevent-0.17.0~401
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7af09c5fcb6f70c475ec807eab4c2086958ddaa7;p=thirdparty%2Fsamba.git

third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a)

kdc: Constrained delegation requires a local delegating server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837
MR: https://github.com/heimdal/heimdal/pull/1274

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c
index 471e193f544..554e2f2112a 100644
--- a/third_party/heimdal/kdc/mssfu.c
+++ b/third_party/heimdal/kdc/mssfu.c
@@ -411,6 +411,19 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
 	goto out;
     }
 
+    /*
+     * We require that the delegating server (r->client) is local
+     * and was found in the local database.
+     */
+    if (r->client == NULL) {
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_audit_addreason((kdc_request_t)r, "Remote delegating server");
+	kdc_log(r->context, r->config, 4,
+		"Constrained delegation without local delegating server, %s/%s",
+		r->cname, r->sname);
+	goto out;
+    }
+
     t = &b->additional_tickets->val[0];
 
     ret = _krb5_principalname2krb5_principal(r->context,