BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Match Windows behavior and allow the forwardable flag to be
set in cross-realm tickets. We used to allow forwardable to
any server, but now that we apply disallow-forwardable policy
in heimdal we need to explicitly allow in the corss-realm case
(and remove the workaround we have for it the MIT plugin).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184
+++ /dev/null
-^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user
-^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user
+++ /dev/null
-^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm
entry_ex->entry.max_renew = NULL;
+ /* Match Windows behavior and allow forwardable flag in cross-realm. */
+ entry_ex->entry.flags.forwardable = 1;
+
ret = samba_kdc_sort_encryption_keys(entry_ex);
if (ret != 0) {
krb5_clear_error_message(context);
sdb_free_entry(&sentry);
- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
- }
-
done:
krb5_free_principal(ctx->context, referral_principal);
referral_principal = NULL;