From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 Dec 2021 06:48:13 +0000 (+0100)
Subject: s4:kdc: Implement new Microsoft forwardable flag behavior
X-Git-Tag: tevent-0.12.0~572
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1201147d06feeba8b6ec72fb537340ba29b1b95f;p=thirdparty%2Fsamba.git

s4:kdc: Implement new Microsoft forwardable flag behavior

Allow delegation to any target if we have delegations set up, but the target is
not specified.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 8b18fdb0ff9..c0c9c7045b5 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -429,12 +429,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # S4U tests
 #
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 77c0c0e4746..d280aa02902 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2736,6 +2736,22 @@ samba_kdc_check_s4u2proxy(krb5_context context,
 		return ret;
 	}
 
+	el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
+	if (el == NULL) {
+		goto bad_option;
+	}
+
+	/*
+	 * This is the Microsoft forwardable flag behavior.
+	 *
+	 * If the proxy (target) principal is NULL, and we have any authorized
+	 * delegation target, allow to forward.
+	 */
+	if (el->num_values >= 0 && target_principal == NULL) {
+		return 0;
+	}
+
+
 	/*
 	 * The main heimdal code already checked that the target_principal
 	 * belongs to the same realm as the client.
@@ -2766,11 +2782,6 @@ samba_kdc_check_s4u2proxy(krb5_context context,
 		return ret;
 	}
 
-	el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
-	if (el == NULL) {
-		goto bad_option;
-	}
-
 	val = data_blob_string_const(target_principal_name);
 
 	for (i=0; i<el->num_values; i++) {