From 3a78a891b671fc2e7f2848b6944e5a0a9e54320f Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Mon, 11 May 2009 20:55:28 +0000 Subject: [PATCH] pull up r22281 from trunk ------------------------------------------------------------------------ r22281 | ghudson | 2009-04-27 11:42:23 -0400 (Mon, 27 Apr 2009) | 8 lines Changed paths: M /trunk/src/include/kdb.h M /trunk/src/include/kdb_ext.h M /trunk/src/kadmin/cli/kadmin.M M /trunk/src/kadmin/cli/kadmin.c M /trunk/src/kdc/do_tgs_req.c M /trunk/src/lib/kadm5/str_conv.c ticket: 5596 Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). ticket: 5596 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22330 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 1 + src/include/kdb_ext.h | 2 -- src/kadmin/cli/kadmin.M | 10 ++++++++++ src/kadmin/cli/kadmin.c | 10 +++++++++- src/kdc/do_tgs_req.c | 5 +---- src/lib/kadm5/str_conv.c | 3 +++ 6 files changed, 24 insertions(+), 7 deletions(-) diff --git a/src/include/kdb.h b/src/include/kdb.h index 8b681ef81..ea81cfeef 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -95,6 +95,7 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Creation flags */ #define KRB5_KDB_CREATE_BTREE 0x00000001 diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index 87959538e..59323e232 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -31,8 +31,6 @@ #ifndef KRB5_KDB5_EXT__ #define KRB5_KDB5_EXT__ -/* Can be delegated as in TicketFlags */ -#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Allowed to use protocol transition */ #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* Service does not require authorization data */ diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index 165bf0c73..22c096de5 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -341,6 +341,16 @@ flag.) .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index af6673d07..213842c9e 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -71,7 +71,8 @@ static struct pflag flags[] = { {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -91,6 +92,11 @@ static char *prflags[] = { "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ }; char *getenv(); @@ -1117,6 +1123,7 @@ kadmin_addprinc_usage(func) "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1133,6 +1140,7 @@ kadmin_modprinc_usage(func) "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index d81a76386..298e13293 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -417,11 +417,8 @@ tgt_again: enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; - if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) && - !is_referral) { - /* Ensure that we are not returning a referral */ + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); - } /* * Fix header_ticket's starttime; if it's zero, fill in the diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c index 3d60d7902..2bd99adbc 100644 --- a/src/lib/kadm5/str_conv.c +++ b/src/lib/kadm5/str_conv.c @@ -73,6 +73,7 @@ static const char flags_dup_skey_in[] = "dup-skey"; static const char flags_tickets_in[] = "allow-tickets"; static const char flags_preauth_in[] = "preauth"; static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; static const char flags_pwchange_in[] = "pwchange"; static const char flags_service_in[] = "service"; static const char flags_pwsvc_in[] = "pwservice"; @@ -86,6 +87,7 @@ static const char flags_dup_skey_out[] = "No DUP_SKEY requests"; static const char flags_tickets_out[] = "All Tickets Disallowed"; static const char flags_preauth_out[] = "Preauthorization required"; static const char flags_hwauth_out[] = "HW Authorization required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; static const char flags_pwchange_out[] = "Password Change required"; static const char flags_service_out[] = "Service Disabled"; static const char flags_pwsvc_out[] = "Password Changing Service"; @@ -109,6 +111,7 @@ static const struct flags_lookup_entry flags_table[] = { { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, -- 2.26.2