git.ipfire.org Git - thirdparty/krb5.git/commit

author	Isaac Boukris <iboukris@gmail.com>
	Thu, 20 Jun 2019 05:00:06 +0000 (05:00 +0000)
committer	Greg Hudson <ghudson@mit.edu>
	Sun, 8 Sep 2019 19:11:17 +0000 (15:11 -0400)
commit	c426ef2ca2ba45dbf96f5380cf7d153ec0679424
tree	0f047016b714d0aa13f7a1b60e997befabf4130b	tree
parent	2b29619aa27c2e63fea80cac60b5607a3fce972f	commit \| diff

Add RBCD client support

When making S4U2Proxy requests, include a PA-PAC-OPTIONS pa-data
element advertising resource-based constrained delegation support. If
the KDC returns a referral TGT for the initial request and advertises
RBCD support, chase referrals to the target realm with both a regular
and proxy TGT, and make an S4U2Proxy request to the target realm with
the proxy TGT as evidence ticket.

Because cross-realm S4U2Proxy requests must use referrals, an explicit
foreign realm in the server name cannot be honored. In the GSSAPI
krb5 mech, if a host-based server name is used, omit the realm (if one
was obtained from [domain_realm] or similar) when calling
krb5_get_credentials() for constrained delegation.

[ghudson@mit.edu: rewrote commit message; made style changes]

ticket: 8479

src/include/k5-int.h		diff \| blob \| blame \| history
src/include/krb5/krb5.hin		diff \| blob \| blame \| history
src/lib/gssapi/krb5/init_sec_context.c		diff \| blob \| blame \| history
src/lib/krb5/asn.1/asn1_k_encode.c		diff \| blob \| blame \| history
src/lib/krb5/krb/gc_via_tkt.c		diff \| blob \| blame \| history
src/lib/krb5/krb/s4u_creds.c		diff \| blob \| blame \| history
src/lib/krb5/libkrb5.exports		diff \| blob \| blame \| history