sdb: Do not set disallow if we do not have ticket info in the DB

These things are applied by the incoming ticket by the KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 9e0950c686adeb5a448e26e70e2d16a64cfefb56..5d4be53725b200106bc1f11d86a55d90a838cbd3 100644 (file)
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -36,20 +36,27 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
        if (s->initial) {
                *k |= KRB5_KDB_DISALLOW_TGT_BASED;
        }
-       if (!s->forwardable) {
-               *k |= KRB5_KDB_DISALLOW_FORWARDABLE;
+       /*
+        * Do not set any disallow rules for forwardable, proxiable,
+        * renewable, postdate and server.
+        *
+        * The KDC will take care setting the flags based on the incoming
+        * ticket.
+        */
+       if (s->forwardable) {
+               ;
        }
-       if (!s->proxiable) {
-               *k |= KRB5_KDB_DISALLOW_PROXIABLE;
+       if (s->proxiable) {
+               ;
        }
-       if (!s->renewable) {
-               *k |= KRB5_KDB_DISALLOW_RENEWABLE;
+       if (s->renewable) {
+               ;
        }
-       if (!s->postdate) {
-               *k |= KRB5_KDB_DISALLOW_POSTDATED;
+       if (s->postdate) {
+               ;
        }
-       if (!s->server) {
-               *k |= KRB5_KDB_DISALLOW_SVR;
+       if (s->server) {
+               ;
        }
        if (s->client) {
                ;