From 7af09c5fcb6f70c475ec807eab4c2086958ddaa7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 20 Mar 2025 00:22:34 +0100
Subject: [PATCH] third_party/heimdal: Import lorikeet-heimdal-202503211047
 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a)

kdc: Constrained delegation requires a local delegating server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837
MR: https://github.com/heimdal/heimdal/pull/1274

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 third_party/heimdal/kdc/mssfu.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c
index 471e193f544..554e2f2112a 100644
--- a/third_party/heimdal/kdc/mssfu.c
+++ b/third_party/heimdal/kdc/mssfu.c
@@ -411,6 +411,19 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
 	goto out;
     }
 
+    /*
+     * We require that the delegating server (r->client) is local
+     * and was found in the local database.
+     */
+    if (r->client == NULL) {
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_audit_addreason((kdc_request_t)r, "Remote delegating server");
+	kdc_log(r->context, r->config, 4,
+		"Constrained delegation without local delegating server, %s/%s",
+		r->cname, r->sname);
+	goto out;
+    }
+
     t = &b->additional_tickets->val[0];
 
     ret = _krb5_principalname2krb5_principal(r->context,
-- 
2.47.3