update comments describing clearing of forwardable flag, again

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22548 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 5 insertions, 3 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c9d0a2e..0a7c968 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -444,10 +444,12 @@ tgt_again:
         if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
             /*
              * If S4U2Self principal is not forwardable, then mark ticket as
-             * unforwardable. This behaviour matches Windows rather than MIT
-             * (which returns KDC_ERR_BADOPTION in the AS-REQ code path).
+             * unforwardable. This behaviour matches Windows, but it is
+             * different to the MIT AS-REQ path, which returns an error
+             * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
              *
-             * Consider this block the S4U2Self validate_forwardable().
+             * Consider this block the S4U2Self equivalent to
+             * validate_forwardable().
              */
             if (c_nprincs &&
                 isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))