Remove KRB5_KDB_XREALM_NON_TRANSITIVE code

validate_transit_path() was introduced in the mskrb-integ merge, but
the flag it enforces has no documentation and no kadmin support.
Remove the function and the flag.  Also remove the
KRB5_KDB_TICKET_GRANTING_SERVICE flag which has no associated code.

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 0c48da60f167cc384f4cecc872503efb731f27bb..d89cd5b6eabecfe8a867c8a23e526d917438a142 100644 (file)
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -104,11 +104,6 @@
 #define KRB5_KDB_CREATE_BTREE           0x00000001
 #define KRB5_KDB_CREATE_HASH            0x00000002
 
-/* Private flag used to indicate principal is local TGS */
-#define KRB5_KDB_TICKET_GRANTING_SERVICE        0x01000000
-/* Private flag used to indicate xrealm relationship  is non-transitive */
-#define KRB5_KDB_XREALM_NON_TRANSITIVE          0x02000000
-
 /* Entry get flags */
 /* Name canonicalization requested */
 #define KRB5_KDB_FLAG_CANONICALIZE              0x00000010

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 1da099318d2359d30f3519eae70a99134e14861f..bf655200d03ddf4a4556a93b3cf38f29064a9a74 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -584,14 +584,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         }
         newtransited = 1;
     }
-    if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
-        errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
-                                        server, header_server);
-        if (errcode) {
-            status = "NON_TRANSITIVE";
-            goto cleanup;
-        }
-    }
     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
         errcode = kdc_check_transited_list (kdc_active_realm,
                                             &enc_tkt_reply.transited.tr_contents,

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 2b949cf1be7d8a490e43c0441ec5ac3de5aac9c3..450f964b13a6eb9e28d8245bbc03ec1bebddbc75 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1735,27 +1735,6 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
     return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
 }
 
-krb5_error_code
-validate_transit_path(krb5_context context,
-                      krb5_const_principal client,
-                      krb5_db_entry *server,
-                      krb5_db_entry *header_srv)
-{
-    /* Incoming */
-    if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
-        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
-    }
-
-    /* Outgoing */
-    if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
-        (!krb5_principal_compare(context, server->princ, header_srv->princ) ||
-         !krb5_realm_compare(context, client, header_srv->princ))) {
-        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
-    }
-
-    return 0;
-}
-
 krb5_boolean
 enctype_requires_etype_info_2(krb5_enctype enctype)
 {

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index fea35d70a9a10020b645ca51751b2dadf751cf4f..483a7639a751647fcc7070b2edd67600fcbffd3d 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -307,11 +307,6 @@ audit_tgs_request (krb5_kdc_req *request,
                    krb5_timestamp authtime,
                    krb5_error_code errcode);
 
-krb5_error_code
-validate_transit_path(krb5_context context,
-                      krb5_const_principal client,
-                      krb5_db_entry *server,
-                      krb5_db_entry *krbtgt);
 void
 kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
                        krb5_timestamp now,