From c14b87cbad5b225c5028fc6e2b73af0247cdca65 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Wed, 21 Oct 2009 16:00:08 +0000
Subject: [PATCH] ensure that forwardable flag is propagated along S4U2Self
 referral path

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22960 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/do_tgs_req.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 7ea3975dc..057a44250 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -465,12 +465,19 @@ tgt_again:
             if (c_nprincs &&
                 isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+            /*
+             * Forwardable flag is propagated along referral path.
+             */
+            else if (is_referral &&
+                !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
+                clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
             /*
              * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
              * S4U2Self in order for forwardable tickets to be returned.
              */
             else if (!is_referral &&
-                !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+                (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) ||
+                 !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
         }
     }
-- 
2.26.2