Allow u2u requests when -allow_svr is set

If KRB5_KDB_DISALLOW_SVR is set on the server principal, still allow
user-to-user tickets to be issued unless KRB5_KDB_DISALLOW_DUP_SKEY is
also set.  This change makes the KDC_ERR_MUST_USE_USER2USER error
message more appropriate.

ticket: 2641

[ghudson@mit.edu: added test case; updated documentation based on
suggestions by Patrick Moore; edited commit message]

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 9b5ccf4e911a854ed3baa22ab87a5f7b74e99419..0321202551a5fd018c49c65f64134d26961fb7a0 100644 (file)
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -297,8 +297,9 @@ Options:
 
 {-\|+}\ **allow_dup_skey**
     **-allow_dup_skey** disables user-to-user authentication for this
-    principal by prohibiting this principal from obtaining a session
-    key for another user.  **+allow_dup_skey** clears this flag.
+    principal by prohibiting others from obtaining a service ticket
+    encrypted in this principal's TGT session key.
+    **+allow_dup_skey** clears this flag.
 
 {-\|+}\ **requires_preauth**
     **+requires_preauth** requires this principal to preauthenticate
@@ -325,7 +326,9 @@ Options:
 
 {-\|+}\ **allow_svr**
     **-allow_svr** prohibits the issuance of service tickets for this
-    principal.  **+allow_svr** clears this flag.
+    principal.  In release 1.17 and later, user-to-user service
+    tickets are still allowed unless the **-allow_dup_skey** flag is
+    also set.  **+allow_svr** clears this flag.
 
 {-\|+}\ **allow_tgs_req**
     **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index ea185aeca62be9f3529424887f764c0e040ef10f..227c76dd41d4400a69e32c71e1168d59334df412 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -134,9 +134,8 @@ The following tags may be specified in a [realms] subsection:
         the principal within this realm.
 
     **dup-skey**
-        Enabling this flag allows the principal to obtain a session
-        key for another user, permitting user-to-user authentication
-        for this principal.
+        Enabling this flag allows the KDC to issue user-to-user
+        service tickets for this principal.
 
     **forwardable**
         Enabling this flag allows the principal to obtain forwardable
@@ -193,7 +192,9 @@ The following tags may be specified in a [realms] subsection:
 
     **service**
         Enabling this flag allows the the KDC to issue service tickets
-        for this principal.
+        for this principal.  In release 1.17 and later, user-to-user
+        service tickets are still allowed if the **dup-skey** flag is
+        set.
 
     **tgt-based**
         Enabling this flag allows a principal to obtain tickets based

diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
index 2c054f1819cbd0ddd0abd3b421361e7c17db6ecc..0d50d66858f0322cf99c4458cbe3db09d6cb391a 100755 (executable)
--- a/src/appl/user_user/t_user2user.py
+++ b/src/appl/user_user/t_user2user.py
@@ -4,6 +4,12 @@ from k5test import *
 debug_compiled=1
 
 for realm in multipass_realms():
+    # Verify that -allow_svr denies regular TGS requests, but allows
+    # user-to-user TGS requests.
+    realm.run([kadminl, 'modprinc', '-allow_svr', realm.user_princ])
+    realm.run([kvno, realm.user_princ], expected_code=1,
+               expected_msg='Server principal valid for user2user only')
+
     if debug_compiled == 0:
         realm.start_in_inetd(['./uuserver', 'uuserver'], port=9999)
     else:

diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index 4c08e44e628a321e885d3cc80c0474658d39ed68..907fcd3304610a55b5496c2c910ad7f296712c20 100644 (file)
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -146,7 +146,8 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server,
         *status = "SERVER LOCKED OUT";
         return KDC_ERR_S_PRINCIPAL_UNKNOWN;
     }
-    if (server.attributes & KRB5_KDB_DISALLOW_SVR) {
+    if ((server.attributes & KRB5_KDB_DISALLOW_SVR) &&
+        !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) {
         *status = "SERVER NOT ALLOWED";
         return KDC_ERR_MUST_USE_USER2USER;
     }