Allow referrals for cross-realm S4U2Self requests

According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests.  (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)

Remove the S4U2Self referral check in process_tgs_req().  Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.

[ghudson@mit.edu: rewrote commit message; adjusted style slightly]

ticket: 8747 (new)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index bf2178125f00c357325319fc758648155a503715..587342a6c9ac00d2c11e8c14ce9d14470d1948ed 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -269,6 +269,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
     errcode = kdc_process_s4u2self_req(kdc_active_realm,
                                        request,
                                        header_enc_tkt->client,
+                                       header_ticket->server,
+                                       is_referral,
                                        server,
                                        subkey,
                                        header_enc_tkt->session,
@@ -288,16 +290,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
 
     if (errcode)
         goto cleanup;
-    if (s4u_x509_user != NULL) {
+    if (s4u_x509_user != NULL)
         setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
-        if (is_referral) {
-            /* The requesting server appears to no longer exist, and we found
-             * a referral instead.  Treat this as a server lookup failure. */
-            errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-            status = "LOOKING_UP_SERVER";
-            goto cleanup;
-        }
-    }
 
     /* Deal with user-to-user and constrained delegation */
     errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360cdf06efc6fa2e4a2b287d7cd3e1fcdcaf..d1c81a54da4ee45d223ece844f55124b5c7005d5 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1441,6 +1441,8 @@ krb5_error_code
 kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
                          krb5_kdc_req *request,
                          krb5_const_principal client_princ,
+                         krb5_const_principal header_srv_princ,
+                         krb5_boolean issuing_referral,
                          const krb5_db_entry *server,
                          krb5_keyblock *tgs_subkey,
                          krb5_keyblock *tgs_session,
@@ -1450,6 +1452,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
                          const char **status)
 {
     krb5_error_code             code;
+    krb5_boolean                is_local_tgt;
     krb5_pa_data                *pa_data;
     int                         flags;
     krb5_db_entry               *princ;
@@ -1543,6 +1546,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         return KRB5KDC_ERR_BADOPTION;
     }
 
+    is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
+    if (is_local_tgt && issuing_referral) {
+        /* The requesting server appears to no longer exist, and we found
+         * a referral instead.  Treat this as a server lookup failure. */
+        *status = "LOOKING_UP_SERVER";
+        return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    }
+
     /*
      * Do not attempt to lookup principals in foreign realms.
      */

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 1885c9f80e63ce8421a58c55d1a2df36a343eb30..6ec645fc3406406dd02b4d0618cb594ab5df57ea 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -269,6 +269,8 @@ krb5_error_code
 kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm,
                           krb5_kdc_req *request,
                           krb5_const_principal client_princ,
+                          krb5_const_principal header_srv_princ,
+                          krb5_boolean issuing_referral,
                           const krb5_db_entry *server,
                           krb5_keyblock *tgs_subkey,
                           krb5_keyblock *tgs_session,