s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users

If an authentication policy enforces a maximum TGT lifetime for a
Protected User, that limit should stand in place of the four-hour limit
usually applied to Protected Users; we should nevertheless continue to
ensure that forwardable or proxiable tickets are not issued to such
users.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 16a0eaf0faed1a117d14b827a052e2f0140e3ab4..975ab55da0dfd4eade22f692127d573f06da46ba 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -63,7 +63,10 @@
 #
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc
+#
+# This test fails; but that is acceptable, for we have an alternative test
+# (test_authn_policy_protected_flags_with_policy_error) that expects to receive
+# a policy error.
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
 #
 # PK-INIT tests

diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
index f6de7fd56d7ed4c46fa8ebb437b83f57dfb403f1..397bca2321efb9cf35c46ad53c95618efc366051 100644 (file)
--- a/selftest/knownfail_mit_kdc_1_20
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -72,8 +72,11 @@
 #
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc
+#
+# This test fails; but that is acceptable, for we have an alternative test
+# (test_authn_policy_protected_flags_without_policy_error) that expects to
+# receive a policy error.
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
 #
 # PK-INIT tests
 #

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 41eff9c08bb9d0876fade0b35b5426dea0c8c9fa..572bf95a966f65904a105e8eda5bcabdde78a59c 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1478,17 +1478,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 
                protected_user = result;
 
-               if (protected_user && enforced_tgt_lifetime_raw == 0)
-               {
-                       /*
-                        * If a TGT lifetime hasn’t been set, Protected Users
-                        * enforces a four hour TGT lifetime.
-                        */
-                       *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
-                       *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
-
+               if (protected_user) {
                        entry->flags.forwardable = 0;
                        entry->flags.proxiable = 0;
+
+                       if (enforced_tgt_lifetime_raw == 0) {
+                               /*
+                                * If a TGT lifetime hasn’t been set, Protected
+                                * Users enforces a four hour TGT lifetime.
+                                */
+                               *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
+                               *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
+                       }
                }
        }