For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket. If that principal no longer exists, we
must fail the request; we cannot issue a referral. We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail. Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.
We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.
projects / thirdparty / krb5.git / commit
