oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given

Browse Source 
A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Stefan Metzmacher
2011-06-24 12:40:33 +02:00
committed by Love Hörnquist Åstrand
parent 6cb0e81760
commit aabb937b46
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
kdc/krb5tgs.c
View File

@@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context,
return ret;
}
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
return 0;
if (clientdb->hdb_check_constrained_delegation) {
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
return 0;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);