summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-06-24 12:40:33 +0200
committerStefan Metzmacher <metze@samba.org>2011-06-24 18:53:49 +0200
commit2996945de6cc6ab223da977b806ca7737c43ec7f (patch)
tree64ec2f09bfab060fa0c07390a79c2536766daabf
parent7229b0d5b2515cc4d487b80f77dc532104aa68d3 (diff)
downloadsamba-2996945de6cc6ab223da977b806ca7737c43ec7f.tar.gz
samba-2996945de6cc6ab223da977b806ca7737c43ec7f.tar.bz2
samba-2996945de6cc6ab223da977b806ca7737c43ec7f.zip
HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
-rw-r--r--source4/heimdal/kdc/krb5tgs.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 14db1f1412..e4fdb144eb 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context,
return ret;
}
- /* if client delegates to itself, that ok */
- if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
- return 0;
-
if (clientdb->hdb_check_constrained_delegation) {
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
+ /* if client delegates to itself, that ok */
+ if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
+ return 0;
+
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);