From 7bfbe8af7e9556c3f11579dab965718325006b3a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 7 Nov 2005 02:24:50 +0000 Subject: r11541: More logical (I think...) delegation semantics. Andrew Bartlett (This used to be commit 6bb1b244284a209ebcb50c17ad59d4528658da0b) --- source4/heimdal/lib/gssapi/init_sec_context.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) (limited to 'source4') diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index 06aba8f785..e7e8f5153e 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -407,20 +407,24 @@ gsskrb5_initiator_start ap_options = 0; /* - * If the realm policy approves a delegation, lets check local - * policy if the credentials should be delegated, defafult to - * false. + * The KDC may have issued us a service ticket marked NOT + * ok-as-delegate. We may still wish to force the matter, and to + * allow this we check a per-realm gssapi [appdefaults] config + * option. If ok-as-delegate in the config file is set to TRUE + * (default FALSE) and our caller has so requested, we will still + * attempt to forward the ticket. + * + * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a + * delegation) */ - if (cred->flags.b.ok_as_delegate) { - krb5_boolean delegate = FALSE; + if (!cred->flags.b.ok_as_delegate) { + krb5_boolean delegate; - _gss_check_compat(NULL, target_name, "ok-as-delegate", - &delegate, TRUE); krb5_appdefault_boolean(gssapi_krb5_context, "gssapi", target_name->realm, - "ok-as-delegate", delegate, &delegate); - if (delegate) - req_flags |= GSS_C_DELEG_FLAG; + "ok-as-delegate", FALSE, &delegate); + if (!delegate) + req_flags &= ~GSS_C_DELEG_FLAG; } if (req_flags & GSS_C_DELEG_FLAG) { -- cgit