From aabb937b46846922f70c2dc4cb95521d15f70764 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 24 Jun 2011 12:40:33 +0200 Subject: [PATCH] kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze Signed-off-by: Love Hörnquist Åstrand --- kdc/krb5tgs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 51b198446..3e688d033 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context, return ret; } - /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) - return 0; - if (clientdb->hdb_check_constrained_delegation) { ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target); if (ret == 0) return 0; } else { + /* if client delegates to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) + return 0; + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); if (ret) { krb5_clear_error_message(context);