ensure that forwardable flag is propagated along S4U2Self referral path

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22960 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 8 insertions, 1 deletions

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 7ea3975..057a442 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -466,11 +466,18 @@ tgt_again:
                 isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
             /*
+             * Forwardable flag is propagated along referral path.
+             */
+            else if (is_referral &&
+                !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
+                clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+            /*
              * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
              * S4U2Self in order for forwardable tickets to be returned.
              */
             else if (!is_referral &&
-                !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+                (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) ||
+                 !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)))
                 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
         }
     }