The Novell S4U patch included some code to disable the forwardable

flag based on the user's authorization data. My understanding from
reading [MS-SFU] is that there is no requirement to do this, which
leads me to believe that the state of the forwardable flag should
be determined by examining the cross-realm TGT (in the case of a
user from a foreign realm) and from the user's KDB entry (when
issuing a ticket within their own realm).

I am awaiting clarification of this both from MS and Novell.

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/s4u@22558 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 0 deletions

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 43ea086..504d3fb 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -544,9 +544,18 @@ handle_tgt_authdata (krb5_context context,
     }
 
     if (ad_nprincs != 0) {
+	/*
+	 * This code was submitted by Novell; however there is no
+	 * mention in [MS-SFU] of needing to examine the authorization
+	 * data to clear the forwardable flag. My understanding is that
+	 * the state of the forwardable flag is propagated through the
+	 * cross-realm TGTs.
+	 */
+#if 0
 	if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
 	    isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
 	    clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE);
+#endif
 
 	krb5_db_free_principal(context, &ad_entry, ad_nprincs);