diff options
author | Luke Howard <lukeh@padl.com> | 2009-08-21 12:04:50 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2009-08-21 12:04:50 +0000 |
commit | c76bae371e38e7b7e4a661bb9ff7322714d00924 (patch) | |
tree | 4002780ee4266d494a0272f4d7ea791824bb3360 | |
parent | 590b6f7635193bbb61742323635dba5faf8c9629 (diff) | |
download | krb5-c76bae371e38e7b7e4a661bb9ff7322714d00924.zip krb5-c76bae371e38e7b7e4a661bb9ff7322714d00924.tar.gz krb5-c76bae371e38e7b7e4a661bb9ff7322714d00924.tar.bz2 |
The Novell S4U patch included some code to disable the forwardable
flag based on the user's authorization data. My understanding from
reading [MS-SFU] is that there is no requirement to do this, which
leads me to believe that the state of the forwardable flag should
be determined by examining the cross-realm TGT (in the case of a
user from a foreign realm) and from the user's KDB entry (when
issuing a ticket within their own realm).
I am awaiting clarification of this both from MS and Novell.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22558 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/kdc/kdc_authdata.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 43ea086..504d3fb 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -544,9 +544,18 @@ handle_tgt_authdata (krb5_context context, } if (ad_nprincs != 0) { + /* + * This code was submitted by Novell; however there is no + * mention in [MS-SFU] of needing to examine the authorization + * data to clear the forwardable flag. My understanding is that + * the state of the forwardable flag is propagated through the + * cross-realm TGTs. + */ +#if 0 if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE); +#endif krb5_db_free_principal(context, &ad_entry, ad_nprincs); |