kdc: Honor no-auth-data-reqd on cross-real TGTs
Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every TGT, but we don't necessarily want PACs on cross-realm TGTs. Specifically, we don't interop well yet with AD when issuing cross-realm TGTs with AD realms as the destination realm (see #1091).
This commit is contained in:
Nicolas Williams
committed by
Nico Williams
Nico Williams
parent
8ac4266021
commit
27cdf81995
14
kdc/misc.c
14
kdc/misc.c
@@ -331,14 +331,22 @@ _kdc_verify_checksum(krb5_context context,
|
||||
* tickets, policy is governed by whether the client explicitly requested
|
||||
* a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
|
||||
* flag is set on the service principal entry.
|
||||
*
|
||||
* However, when issuing a cross-realm TGT to an AD realm our PAC might not
|
||||
* interoperate correctly. Therefore we honor the no-auth-data-reqd HDB entry
|
||||
* flag on cross-realm TGTs.
|
||||
*/
|
||||
|
||||
krb5_boolean
|
||||
_kdc_include_pac_p(astgs_request_t r)
|
||||
{
|
||||
if (krb5_principal_is_krbtgt(r->context, r->server->principal))
|
||||
return TRUE;
|
||||
else if (r->server->flags.no_auth_data_reqd)
|
||||
/* Always include a PAC in root TGTs */
|
||||
if (krb5_principal_is_krbtgt(r->context, r->server->principal)) {
|
||||
if (krb5_principal_is_root_krbtgt(r->context, r->server->principal) ||
|
||||
!r->server->flags.no_auth_data_reqd)
|
||||
return TRUE;
|
||||
}
|
||||
if (r->server->flags.no_auth_data_reqd)
|
||||
return FALSE;
|
||||
|
||||
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
|
||||
|
||||
Reference in New Issue
Block a user