diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-06-24 12:40:33 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-06-24 18:53:49 +0200 |
commit | 2996945de6cc6ab223da977b806ca7737c43ec7f (patch) | |
tree | 64ec2f09bfab060fa0c07390a79c2536766daabf | |
parent | 7229b0d5b2515cc4d487b80f77dc532104aa68d3 (diff) | |
download | samba-2996945de6cc6ab223da977b806ca7737c43ec7f.tar.gz samba-2996945de6cc6ab223da977b806ca7737c43ec7f.tar.bz2 samba-2996945de6cc6ab223da977b806ca7737c43ec7f.zip |
HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 14db1f1412..e4fdb144eb 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context, return ret; } - /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) - return 0; - if (clientdb->hdb_check_constrained_delegation) { ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target); if (ret == 0) return 0; } else { + /* if client delegates to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) + return 0; + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); if (ret) { krb5_clear_error_message(context); |