From 9aa573c9ce76341f9835f43605e5925167076e20 Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <roland.dowdeswell@twosigma.com>
Date: Fri, 21 Jun 2019 14:02:22 +0100
Subject: [PATCH] kdc: no error if req is fwdable on non-fwdable princ

Instead of returning an error if the client asks for
a forwardable ticket where it isn't allowed, we simply
return one that isn't forwardable.
---
 kdc/kerberos5.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 864b8bf40..61c3d1b23 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2077,11 +2077,6 @@ _kdc_as_rep(kdc_request_t r,
     r->et.flags.initial = 1;
     if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable)
 	r->et.flags.forwardable = f.forwardable;
-    else if (f.forwardable) {
-	_kdc_set_e_text(r, "Ticket may not be forwardable");
-	ret = KRB5KDC_ERR_POLICY;
-	goto out;
-    }
     if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable)
 	r->et.flags.proxiable = f.proxiable;
     else if (f.proxiable) {