git.ipfire.org Git - thirdparty/krb5.git/commit

author	Isaac Boukris <iboukris@gmail.com>
	Sat, 17 Aug 2019 22:59:25 +0000 (22:59 +0000)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 20 Aug 2019 18:59:29 +0000 (14:59 -0400)
commit	e12e890f063f41bf8aef45e44a3ee329f64139d2
tree	9e73e88cbbcf32d6a5b48d6234c6a2282c3803e2	tree
parent	d5fd778c4ebbaaa385a5694bf4a48d4ea0d6d05a	commit \| diff

Change definition of KRB5_KDB_FLAG_CROSS_REALM

Set the CROSS_REALM flag if the header ticket was issued by a
different realm, instead of when the client is part of a different
realm.  The affected corner cases are:

* In the final request of a cross-realm S4U2Self request, the header
  ticket client is local but the header ticket was issued by a
  different realm.  The CROSS_REALM flag will now be set in this case.

* If a foreign client renews or validates a locally issued ticket, the
  CROSS_REALM flag will no longer be set.

* If a foreign client requests a local TGT and then uses it to make a
  request, the CROSS_REALM flag will no longer be set.

Also add a new flag KRB5_KDB_FLAG_ISSUING_REFERRAL, which is set when
the KDC decides to issue a referral or alternate TGT.  Use the new
flag meanings to simplify S4U2Self processing.

[ghudson@mit.edu: edited comments and commit messages]

ticket: 8827 (new)

src/include/kdb.h		diff \| blob \| blame \| history
src/kdc/do_tgs_req.c		diff \| blob \| blame \| history
src/kdc/kdc_util.c		diff \| blob \| blame \| history
src/kdc/kdc_util.h		diff \| blob \| blame \| history