Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin
authorGreg Hudson <ghudson@mit.edu>
Mon, 27 Apr 2009 15:42:23 +0000 (15:42 +0000)
committerGreg Hudson <ghudson@mit.edu>
Mon, 27 Apr 2009 15:42:23 +0000 (15:42 +0000)
support for the flag.  In the KDC, remove the restriction on returning
the flag on cross-realm TGTs since there is now a defined meaning for
that (it allows ok-as-delegate to be honored on the foreign realm's
service tickets).

ticket: 5596

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22281 dc483132-0cff-0310-8789-dd5450dbe970

src/include/kdb.h
src/include/kdb_ext.h
src/kadmin/cli/kadmin.M
src/kadmin/cli/kadmin.c
src/kdc/do_tgs_req.c
src/lib/kadm5/str_conv.c

index 8b681ef814237cd1cc0ab79929d6b4a7c1aa4629..ea81cfeef156cefe934b814445b0e38e0983d117 100644 (file)
@@ -95,6 +95,7 @@
 #define KRB5_KDB_PWCHANGE_SERVICE      0x00002000
 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
 #define        KRB5_KDB_NEW_PRINC              0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE                0x00100000
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE          0x00000001
index 87959538e9dc1304482a39a57423bfe50cf1b51d..59323e23228522d0b0c023e89e2fec5ec88769a2 100644 (file)
@@ -31,8 +31,6 @@
 #ifndef KRB5_KDB5_EXT__
 #define KRB5_KDB5_EXT__
 
-/* Can be delegated as in TicketFlags */
-#define KRB5_KDB_OK_AS_DELEGATE                0x00100000
 /* Allowed to use protocol transition */
 #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE        0x00200000
 /* Service does not require authorization data */
index 165bf0c73611e4b849ed78309b5672469f63d130..22c096de574221b040e41e4fc225bde222eca5c8 100644 (file)
@@ -341,6 +341,16 @@ flag.)
 .B -requires_hwauth
 clears this flag.
 .TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service.  (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
 {\fB\-\fP|\fB+\fP}\fBallow_svr\fP
 .B -allow_svr
 prohibits the issuance of service tickets for this principal.  (Sets the
index 557b63a25dee6f270c17897f238015ccceb582d4..fcfe4d94fc643041fedc46964b9951b44cd32d37 100644 (file)
@@ -71,7 +71,8 @@ static struct pflag flags[] = {
 {"needchange", 10,     KRB5_KDB_REQUIRES_PWCHANGE,     0},
 {"allow_svr", 9,       KRB5_KDB_DISALLOW_SVR, 1},
 {"password_changing_service",  25,     KRB5_KDB_PWCHANGE_SERVICE,      0 },
-{"support_desmd5",     14,     KRB5_KDB_SUPPORT_DESMD5,        0 }
+{"support_desmd5",     14,     KRB5_KDB_SUPPORT_DESMD5,        0 },
+{"ok_as_delegate",     14,     KRB5_KDB_OK_AS_DELEGATE,        0 }
 };
 
 static char *prflags[] = {
@@ -91,6 +92,11 @@ static char *prflags[] = {
     "PWCHANGE_SERVICE",                /* 0x00002000 */
     "SUPPORT_DESMD5",          /* 0x00004000 */
     "NEW_PRINC",               /* 0x00008000 */
+    "UNKNOWN_0x00010000",      /* 0x00010000 */
+    "UNKNOWN_0x00020000",      /* 0x00020000 */
+    "UNKNOWN_0x00040000",      /* 0x00040000 */
+    "UNKNOWN_0x00080000",      /* 0x00080000 */
+    "OK_AS_DELEGATE",          /* 0x00100000 */
 };
 
 char *getenv();
@@ -1117,6 +1123,7 @@ kadmin_addprinc_usage(func)
            "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
            "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
            "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+           "\t\tok_as_delegate\n"
            "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
            "\t\t\tLook at each database documentation for supported arguments\n");
 }
@@ -1133,6 +1140,7 @@ kadmin_modprinc_usage(func)
            "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
            "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
            "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+           "\t\tok_as_delegate\n"
            "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
            "\t\t\tLook at each database documentation for supported arguments\n"
        );
index f2cb61d44f17102d0a4c65dd5210c36317dd0fe8..a99dc35ba19b7373c74d1642c7fb6299f9802a4a 100644 (file)
@@ -417,11 +417,8 @@ tgt_again:
     enc_tkt_reply.flags = 0;
     enc_tkt_reply.times.starttime = 0;
 
-    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
-        !is_referral) {
-        /* Ensure that we are not returning a referral */
+    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
         setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
-    }
 
     /*
      * Fix header_ticket's starttime; if it's zero, fill in the
index 3d60d7902fbe9ed543a2b5870fbe7950c9b6ea83..2bd99adbc1536d2d70ed0964ca9263ca22dcab62 100644 (file)
@@ -73,6 +73,7 @@ static const char flags_dup_skey_in[] = "dup-skey";
 static const char flags_tickets_in[]   = "allow-tickets";
 static const char flags_preauth_in[]   = "preauth";
 static const char flags_hwauth_in[]    = "hwauth";
+static const char flags_ok_as_delegate_in[]    = "ok-as-delegate";
 static const char flags_pwchange_in[]  = "pwchange";
 static const char flags_service_in[]   = "service";
 static const char flags_pwsvc_in[]     = "pwservice";
@@ -86,6 +87,7 @@ static const char flags_dup_skey_out[]        = "No DUP_SKEY requests";
 static const char flags_tickets_out[]  = "All Tickets Disallowed";
 static const char flags_preauth_out[]  = "Preauthorization required";
 static const char flags_hwauth_out[]   = "HW Authorization required";
+static const char flags_ok_as_delegate_out[]   = "OK as Delegate";
 static const char flags_pwchange_out[] = "Password Change required";
 static const char flags_service_out[]  = "Service Disabled";
 static const char flags_pwsvc_out[]    = "Password Changing Service";
@@ -109,6 +111,7 @@ static const struct flags_lookup_entry flags_table[] = {
 { KRB5_KDB_DISALLOW_ALL_TIX,   0,      flags_tickets_in,  flags_tickets_out },
 { KRB5_KDB_REQUIRES_PRE_AUTH,  1,      flags_preauth_in,  flags_preauth_out },
 { KRB5_KDB_REQUIRES_HW_AUTH,   1,      flags_hwauth_in,   flags_hwauth_out  },
+{ KRB5_KDB_OK_AS_DELEGATE,     1,      flags_ok_as_delegate_in, flags_ok_as_delegate_out },
 { KRB5_KDB_REQUIRES_PWCHANGE,  1,      flags_pwchange_in, flags_pwchange_out},
 { KRB5_KDB_DISALLOW_SVR,       0,      flags_service_in,  flags_service_out },
 { KRB5_KDB_PWCHANGE_SERVICE,   1,      flags_pwsvc_in,    flags_pwsvc_out   },