From 50067e81712e3aa7580dfdac57358c94f13b0668 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 21 Mar 2025 13:09:37 +0100
Subject: [PATCH] kdc: clear et->flags.ok_as_delegate if cross-realm krbtgt
 does not have it

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 kdc/krb5tgs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index c7473c409..9b8cb29d9 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -687,6 +687,10 @@ tgs_make_reply(astgs_request_t r,
     et->flags.hw_authent  = tgt->flags.hw_authent;
     et->flags.ok_as_delegate = r->server->flags.ok_as_delegate;
 
+    /* See MS-KILE 3.3.5.7.5 Cross-Domain Trust and Referrals */
+    if (!r->krbtgt->flags.ok_as_delegate)
+	et->flags.ok_as_delegate = 0;
+
     /* See MS-KILE 3.3.5.1 */
     if (!r->server->flags.forwardable)
 	et->flags.forwardable = 0;