aboutsummaryrefslogtreecommitdiff
path: root/src/lib/gssapi/krb5/init_sec_context.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/gssapi/krb5/init_sec_context.c')
-rw-r--r--src/lib/gssapi/krb5/init_sec_context.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 631cbe0..5559fad 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -209,7 +209,8 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
if (code) {
/* don't fail here; just don't accept/do the delegation
request */
- data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
+ data->ctx->gss_flags &= ~(GSS_C_DELEG_FLAG |
+ GSS_C_DELEG_POLICY_FLAG);
data->checksum_data.length = 24;
} else {
@@ -495,6 +496,14 @@ new_connection(
ctx->krb_times = k_cred->times;
+ /*
+ * GSS_C_DELEG_POLICY_FLAG means to delegate only if the
+ * ok-as-delegate ticket flag is set.
+ */
+ if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+ && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
+ ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+
if (default_mech) {
mech_type = (gss_OID) gss_mech_krb5;
}
generated by cgit v1.1 at 2024-07-16 16:54:11 +0000