From: Isaac Boukris Date: Fri, 5 Oct 2018 11:14:32 +0000 (+0300) Subject: Allow referrals for cross-realm S4U2Self requests X-Git-Tag: krb5-1.17-beta1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e;p=thirdparty%2Fkrb5.git Allow referrals for cross-realm S4U2Self requests According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for S4U2Self requests if the requesting service is not in the KDC's realm. Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents referrals for S4U2Self requests; on further analysis, this appears to have been preserving a bug rather than applying a proper constraint. However, we should not issue referrals for within-realm S4U2Self requests. (This should only come up if a server possesses a TGT but its principal entry has been deleted.) Remove the S4U2Self referral check in process_tgs_req(). Instead add a more specific check in kdc_process_s4u2self_req(), adding new parameters for the header server principal and a flag indicating whether a referral is indicated. [ghudson@mit.edu: rewrote commit message; adjusted style slightly] ticket: 8747 (new) --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index bf2178125f..587342a6c9 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -269,6 +269,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, errcode = kdc_process_s4u2self_req(kdc_active_realm, request, header_enc_tkt->client, + header_ticket->server, + is_referral, server, subkey, header_enc_tkt->session, @@ -288,16 +290,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, if (errcode) goto cleanup; - if (s4u_x509_user != NULL) { + if (s4u_x509_user != NULL) setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION); - if (is_referral) { - /* The requesting server appears to no longer exist, and we found - * a referral instead. Treat this as a server lookup failure. */ - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - status = "LOOKING_UP_SERVER"; - goto cleanup; - } - } /* Deal with user-to-user and constrained delegation */ errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 21af360cdf..d1c81a54da 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1441,6 +1441,8 @@ krb5_error_code kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, + krb5_const_principal header_srv_princ, + krb5_boolean issuing_referral, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, @@ -1450,6 +1452,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, const char **status) { krb5_error_code code; + krb5_boolean is_local_tgt; krb5_pa_data *pa_data; int flags; krb5_db_entry *princ; @@ -1543,6 +1546,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, return KRB5KDC_ERR_BADOPTION; } + is_local_tgt = !is_cross_tgs_principal(header_srv_princ); + if (is_local_tgt && issuing_referral) { + /* The requesting server appears to no longer exist, and we found + * a referral instead. Treat this as a server lookup failure. */ + *status = "LOOKING_UP_SERVER"; + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + } + /* * Do not attempt to lookup principals in foreign realms. */ diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 1885c9f80e..6ec645fc34 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -269,6 +269,8 @@ krb5_error_code kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, + krb5_const_principal header_srv_princ, + krb5_boolean issuing_referral, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,