summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index 06aba8f785..e7e8f5153e 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -407,20 +407,24 @@ gsskrb5_initiator_start
ap_options = 0;
/*
- * If the realm policy approves a delegation, lets check local
- * policy if the credentials should be delegated, defafult to
- * false.
+ * The KDC may have issued us a service ticket marked NOT
+ * ok-as-delegate. We may still wish to force the matter, and to
+ * allow this we check a per-realm gssapi [appdefaults] config
+ * option. If ok-as-delegate in the config file is set to TRUE
+ * (default FALSE) and our caller has so requested, we will still
+ * attempt to forward the ticket.
+ *
+ * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a
+ * delegation)
*/
- if (cred->flags.b.ok_as_delegate) {
- krb5_boolean delegate = FALSE;
+ if (!cred->flags.b.ok_as_delegate) {
+ krb5_boolean delegate;
- _gss_check_compat(NULL, target_name, "ok-as-delegate",
- &delegate, TRUE);
krb5_appdefault_boolean(gssapi_krb5_context,
"gssapi", target_name->realm,
- "ok-as-delegate", delegate, &delegate);
- if (delegate)
- req_flags |= GSS_C_DELEG_FLAG;
+ "ok-as-delegate", FALSE, &delegate);
+ if (!delegate)
+ req_flags &= ~GSS_C_DELEG_FLAG;
}
if (req_flags & GSS_C_DELEG_FLAG) {