kdc: check for cname-in-addl-tkt flag in constrained delegation

Before accepting an additional ticket for use with constrained delegation, verify the cname-in-addl-tkt flag was set. If not, ignore the request.
2019-06-03 11:55:54 +10:00
parent cf940e15f4
commit 7381a280c8
1 changed files with 1 additions and 0 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2183,6 +2183,7 @@ server_lookup:
    if (client != NULL
 	&& b->additional_tickets != NULL
 	&& b->additional_tickets->len != 0
+	&& b->kdc_options.cname_in_addl_tkt
 	&& b->kdc_options.enc_tkt_in_skey == 0)
    {
 	int ad_signedpath = 0;