From 225d1c4c0e326b6a45a449a45da963d3f246b927 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 20 Mar 2025 00:22:34 +0100
Subject: [PATCH] kdc: Constrained delegation requires a local delegating
 server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 kdc/mssfu.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kdc/mssfu.c b/kdc/mssfu.c
index c9e42bcfc..9c13d5d7a 100644
--- a/kdc/mssfu.c
+++ b/kdc/mssfu.c
@@ -380,6 +380,19 @@ validate_constrained_delegation(astgs_request_t r)
 	goto out;
     }
 
+    /*
+     * We require that the delegating server (r->client) is local
+     * and was found in the local database.
+     */
+    if (r->client == NULL) {
+	ret = KRB5KDC_ERR_BADOPTION;
+	kdc_audit_addreason((kdc_request_t)r, "Remote delegating server");
+	kdc_log(r->context, r->config, 4,
+		"Constrained delegation without local delegating server, %s/%s",
+		r->cname, r->sname);
+	goto out;
+    }
+
     t = &b->additional_tickets->val[0];
 
     ret = hdb_enctype2key(r->context, r->client,