summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/heimdal/kdc/krb5tgs.c24
1 files changed, 19 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 16f8434a5c..14db1f1412 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -505,18 +505,32 @@ check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
- krb5_const_principal server)
+ hdb_entry_ex *server,
+ krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
int i;
+ /*
+ * constrained_delegation (S4U2Proxy) only works within
+ * the same realm. We use the already canonicalized version
+ * of the principals here, while "target" is the principal
+ * provided by the client.
+ */
+ if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ kdc_log(context, config, 0,
+ "Bad request for constrained delegation");
+ return ret;
+ }
+
/* if client delegates to itself, that ok */
- if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
+ if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
return 0;
if (clientdb->hdb_check_constrained_delegation) {
- ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
+ ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
@@ -528,7 +542,7 @@ check_constrained_delegation(krb5_context context,
if (acl) {
for (i = 0; i < acl->len; i++) {
- if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
+ if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
return 0;
}
}
@@ -2026,7 +2040,7 @@ server_lookup:
}
ret = check_constrained_delegation(context, config, clientdb,
- client, sp);
+ client, server, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s as %s to %s not allowed",