tgs-req: strip forwardable and proxiable if the server is disallowed

2020-01-18 14:47:02 +01:00
parent 921d528d8b
commit 839b073fac
2 changed files with 10 additions and 0 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -912,6 +912,12 @@ tgs_make_reply(astgs_request_t r,
    et.flags.hw_authent  = tgt->flags.hw_authent;
    et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;

+    /* See MS-KILE 3.3.5.1 */
+    if (!server->entry.flags.forwardable)
+	et.flags.forwardable = 0;
+    if (!server->entry.flags.proxiable)
+	et.flags.proxiable = 0;
+
    /*
     * For anonymous tickets, we should filter out positive authorization data
     * that could reveal the client's identity, and return a policy error for