Replace AD-SIGNEDPATH with minimal PACs Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal PAC in all tickets and require a valid PAC to be present in all tickets presented for S4U operations. Remove the get_authdata_info() and sign_authdata() DAL methods, and add an issue_pac() method to allow the KDB to add or copy buffers to the PAC. Add a disable_pac realm flag. Microsoft revised the S4U2Proxy rules for forwardable tickets. All S4U2Proxy operations require forwardable evidence tickets, but S4U2Self should issue a forwardable ticket if the requesting service has no ok-to-auth-as-delegate bit but also no constrained delegation privileges for traditional S4U2Proxy. Implement these rules, extending the check_allowed_to_delegate() DAL method so that the KDC can ask if a principal has any delegation privileges. Combine the KRB5_KDB_FLAG_ISSUE_PAC and KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT. Rename the KRB5_KDB_FLAG_CANONICALIZE flag to KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for lookup operations that can use a realm referral. For consistency with Active Directory, honor the no-auth-data-required server principal flag for S4U2Proxy but not for S4U2Self. Previously we did the reverse. https://github.com/krb5/krb5/commit/a441fbe329ebbd7775eb5d4ccc4a05eef370f08b Author: Greg Hudson Commit: a441fbe329ebbd7775eb5d4ccc4a05eef370f08b Branch: master doc/admin/conf_files/kdc_conf.rst | 6 + src/include/k5-int.h | 26 +- src/include/kdb.h | 330 ++++++--------- src/kdc/do_as_req.c | 33 +- src/kdc/do_tgs_req.c | 131 +++--- src/kdc/kdc_authdata.c | 651 ++++++++------------------- src/kdc/kdc_util.c | 221 +++++++--- src/kdc/kdc_util.h | 64 ++- src/kdc/main.c | 5 + src/kdc/realm_data.h | 1 + src/kdc/tgs_policy.c | 222 ++++++++-- src/lib/kdb/kdb5.c | 99 +---- src/lib/kdb/libkdb5.exports | 4 +- src/lib/krb5/asn.1/asn1_k_encode.c | 30 -- src/lib/krb5/krb/Makefile.in | 5 +- src/lib/krb5/krb/authdata.c | 1 - src/lib/krb5/krb/deps | 12 - src/lib/krb5/krb/kfree.c | 18 - src/lib/krb5/krb/s4u_authdata.c | 598 ------------------------ src/lib/krb5/libkrb5.exports | 4 - src/plugins/kdb/db2/db2_exp.c | 13 +- src/plugins/kdb/ldap/ldap_exp.c | 1 - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 4 +- src/plugins/kdb/test/kdb_test.c | 530 ++++------------------ src/tests/asn.1/krb5_decode_leak.c | 10 - src/tests/asn.1/krb5_decode_test.c | 8 - src/tests/asn.1/krb5_encode_test.c | 17 - src/tests/asn.1/ktest.c | 55 --- src/tests/asn.1/ktest.h | 4 - src/tests/asn.1/ktest_equal.c | 28 -- src/tests/asn.1/ktest_equal.h | 4 - src/tests/asn.1/reference_encode.out | 2 - src/tests/asn.1/trval_reference.out | 49 -- src/tests/gssapi/t_s4u.py | 20 +- src/tests/t_authdata.py | 76 +--- 35 files changed, 957 insertions(+), 2325 deletions(-)