typedef struct _kdb_sign_auth_data_rep {
krb5_magic magic;
krb5_authdata **auth_data; /* Signed authorization data */
- krb5_db_entry *entry; /* Optional client principal extracted from auth data */
- int nprincs; /* Non-zero if above contains principal data */
} kdb_sign_auth_data_rep;
typedef struct _kdb_check_transited_realms_req {
{
krb5_error_code code;
krb5_authdata **db_authdata = NULL;
- krb5_db_entry ad_entry;
- int ad_nprincs = 0;
krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
enc_tkt_reply->times.authtime,
tgs_req ? enc_tkt_request->authorization_data : NULL,
enc_tkt_reply->session,
- &db_authdata,
- &ad_entry,
- &ad_nprincs);
+ &db_authdata);
if (code == KRB5_KDB_DBTYPE_NOSUP) {
- assert(ad_nprincs == 0);
assert(db_authdata == NULL);
if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
return 0;
}
- if (ad_nprincs != 0) {
- /*
- * This code was submitted by Novell; however there is no
- * mention in [MS-SFU] of needing to examine the authorization
- * data to clear the forwardable flag. My understanding is that
- * the state of the forwardable flag is propagated through the
- * cross-realm TGTs.
- */
-#if 0
- if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
- clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE);
-#endif
-
- krb5_db_free_principal(context, &ad_entry, ad_nprincs);
-
- if (ad_nprincs != 1) {
- if (db_authdata != NULL)
- krb5_free_authdata(context, db_authdata);
- return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
-
if (db_authdata != NULL) {
code = merge_authdata(context, db_authdata,
&enc_tkt_reply->authorization_data,
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
krb5_keyblock *session_key,
- krb5_authdata ***ret_authdata,
- krb5_db_entry *ad_entry,
- int *ad_nprincs)
+ krb5_authdata ***ret_authdata)
{
krb5_error_code code;
kdb_sign_auth_data_req req;
krb5_data rep_data;
*ret_authdata = NULL;
- memset(ad_entry, 0, sizeof(*ad_entry));
- *ad_nprincs = 0;
memset(&req, 0, sizeof(req));
memset(&rep, 0, sizeof(rep));
req.auth_data = tgs_authdata;
req.session_key = session_key;
- rep.entry = ad_entry;
- rep.nprincs = 0;
-
req_data.data = (void *)&req;
req_data.length = sizeof(req);
&rep_data);
*ret_authdata = rep.auth_data;
- *ad_nprincs = rep.nprincs;
return code;
}
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
krb5_keyblock *session_key,
- krb5_authdata ***ret_authdata,
- krb5_db_entry *ad_entry,
- int *ad_nprincs);
+ krb5_authdata ***ret_authdata);
krb5_error_code kdc_process_s4u2self_req
(krb5_context context,