Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.507 (Entity 5.507)
From: ghudson@mit.edu
Subject: git commit
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1263


Allow referrals for cross-realm S4U2Self requests

According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests.  (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)

Remove the S4U2Self referral check in process_tgs_req().  Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.

[ghudson@mit.edu: rewrote commit message; adjusted style slightly]

https://github.com/krb5/krb5/commit/bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Branch: master
 src/kdc/do_tgs_req.c |   12 +++---------
 src/kdc/kdc_util.c   |   11 +++++++++++
 src/kdc/kdc_util.h   |    2 ++
 3 files changed, 16 insertions(+), 9 deletions(-)