diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-11-07 02:24:50 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:51 -0500 |
commit | 7bfbe8af7e9556c3f11579dab965718325006b3a (patch) | |
tree | 7d4afb4bae6f37707a04f098730ada93f74db01c | |
parent | f9c2f271e805fdf3e5d7c0632dc26c6258b5a5ed (diff) | |
download | samba-7bfbe8af7e9556c3f11579dab965718325006b3a.tar.gz samba-7bfbe8af7e9556c3f11579dab965718325006b3a.tar.bz2 samba-7bfbe8af7e9556c3f11579dab965718325006b3a.zip |
r11541: More logical (I think...) delegation semantics.
Andrew Bartlett
(This used to be commit 6bb1b244284a209ebcb50c17ad59d4528658da0b)
-rw-r--r-- | source4/heimdal/lib/gssapi/init_sec_context.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index 06aba8f785..e7e8f5153e 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -407,20 +407,24 @@ gsskrb5_initiator_start ap_options = 0; /* - * If the realm policy approves a delegation, lets check local - * policy if the credentials should be delegated, defafult to - * false. + * The KDC may have issued us a service ticket marked NOT + * ok-as-delegate. We may still wish to force the matter, and to + * allow this we check a per-realm gssapi [appdefaults] config + * option. If ok-as-delegate in the config file is set to TRUE + * (default FALSE) and our caller has so requested, we will still + * attempt to forward the ticket. + * + * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a + * delegation) */ - if (cred->flags.b.ok_as_delegate) { - krb5_boolean delegate = FALSE; + if (!cred->flags.b.ok_as_delegate) { + krb5_boolean delegate; - _gss_check_compat(NULL, target_name, "ok-as-delegate", - &delegate, TRUE); krb5_appdefault_boolean(gssapi_krb5_context, "gssapi", target_name->realm, - "ok-as-delegate", delegate, &delegate); - if (delegate) - req_flags |= GSS_C_DELEG_FLAG; + "ok-as-delegate", FALSE, &delegate); + if (!delegate) + req_flags &= ~GSS_C_DELEG_FLAG; } if (req_flags & GSS_C_DELEG_FLAG) { |