| From: | ghudson@mit.edu |
| Subject: | git commit |
Allow referrals for cross-realm S4U2Self requests
According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests. (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)
Remove the S4U2Self referral check in process_tgs_req(). Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.
[ghudson@mit.edu: rewrote commit message; adjusted style slightly]
https://github.com/krb5/krb5/commit/bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Branch: master
src/kdc/do_tgs_req.c | 12 +++---------
src/kdc/kdc_util.c | 11 +++++++++++
src/kdc/kdc_util.h | 2 ++
3 files changed, 16 insertions(+), 9 deletions(-)