ensure that forwardable flag is propagated along S4U2Self referral path

author Luke Howard <lukeh@padl.com>

Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)

committer Luke Howard <lukeh@padl.com>

Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)
author Luke Howard <lukeh@padl.com>
Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)
committer Luke Howard <lukeh@padl.com>
Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c

index 7ea3975dc5f04c920f0d93e60c67212b2b40750a..057a4425063f24727f9f7ed55b811218fc4e2eab 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -465,12 +465,19 @@ tgt_again:
              if (c_nprincs &&
                  isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
                  clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+            /*
+             * Forwardable flag is propagated along referral path.
+             */
+            else if (is_referral &&
+                !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
+                clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
              /*
               * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
               * S4U2Self in order for forwardable tickets to be returned.
               */
              else if (!is_referral &&
-                !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+                (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) ||
+                 !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)))
                  clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
          }
      }
author	Luke Howard <lukeh@padl.com>
	Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)
committer	Luke Howard <lukeh@padl.com>
	Wed, 21 Oct 2009 16:00:08 +0000 (16:00 +0000)