* kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX
authorTom Yu <tlyu@mit.edu>
Thu, 15 Aug 2002 20:48:24 +0000 (20:48 +0000)
committerTom Yu <tlyu@mit.edu>
Thu, 15 Aug 2002 20:48:24 +0000 (20:48 +0000)
and DISALLOW_SVR when looking up services.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14726 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kerberos_v4.c

index 617beb4ccdabaa4a3af32d72dbe4eb4448c9a9af..d2b3e7ab0597be4130985b2fd7ebd23a3feaf7c3 100644 (file)
@@ -1,3 +1,8 @@
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+       * kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX
+       and DISALLOW_SVR when looking up services.
+
 2002-08-08  Ken Raeburn  <raeburn@mit.edu>
 
        * network.c (setup_port): Ignore AF_LINK addresses.  Log address
index cf9fa9feecd6dc14ea502fa9db62468b22234730..a1f271494800fdb53dac1e4d2458219f9b8a7855 100644 (file)
@@ -156,7 +156,7 @@ static int set_tgtkey (char *, krb5_kvno);
 #define V4_KDB_REQUIRES_PREAUTH  0x1
 #define V4_KDB_DISALLOW_ALL_TIX  0x2
 #define V4_KDB_REQUIRES_PWCHANGE 0x4
-
+#define V4_KDB_DISALLOW_SVR      0x8
 
 /* v4 compatibitly mode switch */
 #define KDC_V4_NONE            0       /* Don't even respond to packets */
@@ -547,6 +547,9 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno,
     if (isflagset(entries.attributes,  KRB5_KDB_DISALLOW_ALL_TIX)) {
           principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
     }
+    if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
+       principal->attributes |= V4_KDB_DISALLOW_SVR;
+    }
     if (isflagset(entries.attributes,  KRB5_KDB_REQUIRES_PWCHANGE)) {
           principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
     }
@@ -1121,6 +1124,13 @@ check_princ(p_name, instance, lifetime, p, k5key, issrv, k5life)
        return KERB_ERR_NAME_EXP;
     }
 
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+       lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: "
+                 "\"%s\" \"%s\"", p_name, instance);
+       /* Not sure of a better error to return */
+       return KERB_ERR_NAME_EXP;
+    }
+
     /*
      * Does the principal require preauthentication?
      */
@@ -1181,6 +1191,19 @@ set_tgtkey(r, kvno)
     if (n == 0)
        return (KFAILURE);
 
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
+       lt = klog(L_ERR_SEXP,
+                 "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r);
+       krb5_free_keyblock_contents(kdc_context, &k5key);
+       return KFAILURE;
+    }
+
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+       lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r);
+       krb5_free_keyblock_contents(kdc_context, &k5key);
+       return KFAILURE;
+    }
+
     if (!K4KDC_ENCTYPE_OK(k5key.enctype)) {
        krb_set_key_krb5(kdc_context, &k5key);
        strncpy(lastrealm, r, sizeof(lastrealm) - 1);