From: Luke Howard Date: Wed, 21 Oct 2009 16:00:08 +0000 (+0000) Subject: ensure that forwardable flag is propagated along S4U2Self referral path X-Git-Tag: krb5-1.8-alpha1~281 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=c14b87cbad5b225c5028fc6e2b73af0247cdca65;p=krb5.git ensure that forwardable flag is propagated along S4U2Self referral path git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22960 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 7ea3975dc..057a44250 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -465,12 +465,19 @@ tgt_again: if (c_nprincs && isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + /* + * Forwardable flag is propagated along referral path. + */ + else if (is_referral && + !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE)) + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); /* * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting * S4U2Self in order for forwardable tickets to be returned. */ else if (!is_referral && - !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) || + !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } }