Force tickets acquired by the kadm5 client library via password
authorRuss Allbery <rra@stanford.edu>
Wed, 14 Jan 2009 00:29:04 +0000 (00:29 +0000)
committerRuss Allbery <rra@stanford.edu>
Wed, 14 Jan 2009 00:29:04 +0000 (00:29 +0000)
authentication to be non-forwardable and non-proxiable, overridding
any [libdefaults] configuration.  This may be necessary at sites that
set forwardable to true by default in their krb5.conf files but
disable forwardable tickets for privileged principals.  Since the
ticket cache acquired by the kadm5 client library is used only for
kadmin operations, where forwardable is not useful or necessary, there
is no reason to ever attempt to obtain forwardable or proxiable tickets
here.

Ticket: 6337

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21744 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/kadm5/clnt/client_init.c

index d5fe5b0f129491a3c3588a7cbeb84fcb6af20c62..82bec3c4ef537c8f45b871efc6157524a31e3a42 100644 (file)
@@ -541,8 +541,12 @@ kadm5_gic_iter(kadm5_server_handle_t handle,
             goto error;
      }
 
-     if (init_type != INIT_CREDS)
+     /* Credentials for kadmin don't need to be forwardable or proxiable. */
+     if (init_type != INIT_CREDS) {
          krb5_get_init_creds_opt_init(&opt);
+         krb5_get_init_creds_opt_set_forwardable(&opt, 0);
+         krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+     }
 
      if (init_type == INIT_PASS) {
          code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,