#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
/* Allow in-realm aliases */
#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000
+/* Issuing referral */
+#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
+
#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
* client entry during an S4U2Proxy TGS request. Also affects PAC
* generation.
*
- * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry
- * during a TGS request, if the client principal is not part of the
- * realm being served.
+ * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC after looking up a server
+ * entry during a TGS request, if the header ticket was issued by a
+ * different realm.
+ *
+ * KRB5_KDB_FLAG_ISSUING_REFERRAL: Set by the KDC after looking up a server
+ * entry during a TGS request, if the requested server principal is not
+ * part of the realm being served, and a referral or alternate TGT will
+ * be issued instead.
*
* KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
* for AS request client principal lookups with canonicalization
goto cleanup;
}
- if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
+ if (!is_local_principal(kdc_active_realm, header_ticket->server))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
+ if (is_referral)
+ setflag(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_active_realm,
request,
header_enc_tkt->client,
- header_ticket->server,
- is_referral,
+ c_flags,
server,
subkey,
header_enc_tkt->session,
}
}
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && !is_referral)
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
- krb5_const_principal header_srv_princ,
- krb5_boolean issuing_referral,
+ unsigned int c_flags,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
const char **status)
{
krb5_error_code code;
- krb5_boolean is_local_tgt;
krb5_pa_data *pa_data;
int flags;
krb5_db_entry *princ;
* final cross-realm requests in a multi-realm scenario.
*/
- is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
- if (is_local_tgt && issuing_referral) {
+ if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+ isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
*status = "LOOKING_UP_SERVER";
krb5_db_entry no_server;
krb5_pa_data **e_data = NULL;
- if (!is_local_tgt && !issuing_referral) {
+ if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+ !isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) {
/* A local server should not need a cross-realm TGT to impersonate
* a local principal. */
*status = "NOT_CROSS_REALM_REQUEST";
}
*princ_ptr = princ;
- } else if (is_local_tgt) {
+ } else if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
/*
* The server is asking to impersonate a principal from another realm,
* using a local TGT. It should instead ask that principal's realm and
kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
- krb5_const_principal header_srv_princ,
- krb5_boolean issuing_referral,
+ unsigned int c_flags,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
projects / thirdparty / krb5.git / commitdiff
