git.ipfire.org Git - thirdparty/krb5.git/commit

author	Isaac Boukris <iboukris@gmail.com>
	Fri, 5 Oct 2018 11:14:32 +0000 (14:14 +0300)
committer	Greg Hudson <ghudson@mit.edu>
	Fri, 12 Oct 2018 18:22:25 +0000 (14:22 -0400)
commit	bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
tree	e2f63b04d07d58bde804fc5709930a306f1747be	tree
parent	76053d61fecfec8c5ea31c74bec73d2846b5effe	commit \| diff

Allow referrals for cross-realm S4U2Self requests

According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests. (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)

Remove the S4U2Self referral check in process_tgs_req(). Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.

[ghudson@mit.edu: rewrote commit message; adjusted style slightly]

ticket: 8747 (new)

src/kdc/do_tgs_req.c		diff \| blob \| blame \| history
src/kdc/kdc_util.c		diff \| blob \| blame \| history
src/kdc/kdc_util.h		diff \| blob \| blame \| history