Explicitly prevent referrals for certain requests

For ticket modification requests (such as renewals), u2u requests, and
S4U2Self requests, the requested server principal is expected to match
a previously issued ticket.  If that principal no longer exists, we
must fail the request; we cannot issue a referral.  We are currently
doing that by rewriting request->server to the referral principal,
which causes the match against the ticket to fail.  Since we would
like to stop modifying the request, we must explicitly prevent
referrals in these cases.

We don't find out whether a request is S4U2Self until after we've
looked up the server principal, so for now we have to make a
retroactive check for a referral after calling
kdc_process_s4u2self_req.

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 240203638691ca1233ef037faccda65fc1906d8c..a71c01cede11b32172ac4b925b73992dd0762c3d 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -270,8 +270,16 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                                        &status);
     if (errcode)
         goto cleanup;
-    if (s4u_x509_user != NULL)
+    if (s4u_x509_user != NULL) {
         setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
+        if (is_referral) {
+            /* The requesting server appears to no longer exist, and we found
+             * a referral instead.  Treat this as a server lookup failure. */
+            errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+            status = "LOOKING_UP_SERVER";
+            goto cleanup;
+        }
+    }
 
     errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
                              &stkt_server, &status);
@@ -1191,9 +1199,16 @@ search_sprinc(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
     krb5_error_code ret;
     krb5_principal princ = req->server;
     krb5_principal reftgs = NULL;
+    krb5_boolean allow_referral;
+
+    /* Do not allow referrals for u2u or ticket modification requests, because
+     * the server is supposed to match an already-issued ticket. */
+    allow_referral = !(req->kdc_options & NO_REFERRAL_OPTION);
+    if (!allow_referral)
+        flags &= ~KRB5_KDB_FLAG_CANONICALIZE;
 
     ret = db_get_svc_princ(kdc_context, princ, flags, server, status);
-    if (ret == 0 || ret != KRB5_KDB_NOENTRY)
+    if (ret == 0 || ret != KRB5_KDB_NOENTRY || !allow_referral)
         goto cleanup;
 
     if (!is_cross_tgs_principal(req->server)) {

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index c50ee848a1ee8bea666741f50a7b713405a6b460..6c54333610529251ef20150b5407bd71e0344465 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -410,6 +410,10 @@ struct krb5_kdcpreauth_rock_st {
 
 #define NON_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \
                         KDC_OPT_VALIDATE)
+
+/* TGS-REQ options which are not compatible with referrals */
+#define NO_REFERRAL_OPTION (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)
+
 int check_anon(kdc_realm_t *kdc_active_realm,
                krb5_principal client, krb5_principal server);
 int errcode_to_protocol(krb5_error_code code);