diff options
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 16f8434a5c..14db1f1412 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -505,18 +505,32 @@ check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, HDB *clientdb, hdb_entry_ex *client, - krb5_const_principal server) + hdb_entry_ex *server, + krb5_const_principal target) { const HDB_Ext_Constrained_delegation_acl *acl; krb5_error_code ret; int i; + /* + * constrained_delegation (S4U2Proxy) only works within + * the same realm. We use the already canonicalized version + * of the principals here, while "target" is the principal + * provided by the client. + */ + if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) { + ret = KRB5KDC_ERR_BADOPTION; + kdc_log(context, config, 0, + "Bad request for constrained delegation"); + return ret; + } + /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) + if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) return 0; if (clientdb->hdb_check_constrained_delegation) { - ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server); + ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target); if (ret == 0) return 0; } else { @@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context, if (acl) { for (i = 0; i < acl->len; i++) { - if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) + if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE) return 0; } } @@ -2026,7 +2040,7 @@ server_lookup: } ret = check_constrained_delegation(context, config, clientdb, - client, sp); + client, server, sp); if (ret) { kdc_log(context, config, 0, "constrained delegation from %s as %s to %s not allowed", |