From 2996945de6cc6ab223da977b806ca7737c43ec7f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 24 Jun 2011 12:40:33 +0200 Subject: HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze --- source4/heimdal/kdc/krb5tgs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source4/heimdal') diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 14db1f1412..e4fdb144eb 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context, return ret; } - /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) - return 0; - if (clientdb->hdb_check_constrained_delegation) { ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target); if (ret == 0) return 0; } else { + /* if client delegates to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) + return 0; + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); if (ret) { krb5_clear_error_message(context); -- cgit