Allow the constrained delegation authorization method to use the evidence ticket...

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22963 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h
index dfa2e0b71e9fc82d5c0bafb2c9bafd6bf50ea072..f51d4650046ee72146107bb10f1dc3fceab2bee0 100644 (file)
--- a/src/include/kdb_ext.h
+++ b/src/include/kdb_ext.h
@@ -159,6 +159,7 @@ typedef struct _kdb_check_allowed_to_delegate_req {
     krb5_magic magic;
     const krb5_db_entry *server;
     krb5_const_principal proxy;
+    krb5_const_principal client;
 } kdb_check_allowed_to_delegate_req;
 
 #endif /* KRB5_KDB5_EXT__ */

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index ba2c4b53f307a069381f0df0a95a8369098f0799..9ad832e8ab5fe083081dd73dd119a02ad2c8b972 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2238,6 +2238,7 @@ kdc_process_s4u2self_req(krb5_context context,
 
 static krb5_error_code
 check_allowed_to_delegate_to(krb5_context context,
+                            krb5_const_principal client,
                             const krb5_db_entry *server,
                             krb5_const_principal proxy)
 {
@@ -2258,6 +2259,7 @@ check_allowed_to_delegate_to(krb5_context context,
 
     req.server = server;
     req.proxy = proxy;
+    req.client = client;
 
     req_data.data = (void *)&req;
     req_data.length = sizeof(req);
@@ -2312,7 +2314,9 @@ kdc_process_s4u2proxy_req(krb5_context context,
 
     /* Backend policy check */
     errcode = check_allowed_to_delegate_to(kdc_context,
-                                          server, proxy_princ);
+                                          t2enc->client,
+                                          server,
+                                          proxy_princ);
     if (errcode) {
        *status = "NOT_ALLOWED_TO_DELEGATE";
        return errcode;