From 033fd8fb426adcf264a867fc0001c0ee6735a079 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 14 Jan 2009 00:29:04 +0000 Subject: [PATCH] Force tickets acquired by the kadm5 client library via password authentication to be non-forwardable and non-proxiable, overridding any [libdefaults] configuration. This may be necessary at sites that set forwardable to true by default in their krb5.conf files but disable forwardable tickets for privileged principals. Since the ticket cache acquired by the kadm5 client library is used only for kadmin operations, where forwardable is not useful or necessary, there is no reason to ever attempt to obtain forwardable or proxiable tickets here. Ticket: 6337 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21744 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kadm5/clnt/client_init.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index d5fe5b0f1..82bec3c4e 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -541,8 +541,12 @@ kadm5_gic_iter(kadm5_server_handle_t handle, goto error; } - if (init_type != INIT_CREDS) + /* Credentials for kadmin don't need to be forwardable or proxiable. */ + if (init_type != INIT_CREDS) { krb5_get_init_creds_opt_init(&opt); + krb5_get_init_creds_opt_set_forwardable(&opt, 0); + krb5_get_init_creds_opt_set_proxiable(&opt, 0); + } if (init_type == INIT_PASS) { code = krb5_get_init_creds_password(ctx, &outcreds, client, pass, -- 2.26.2