krb5: rename constrained-delegatiom to cname-in-addl-tkt
For consistency with [MS-SFU] rename the constrained-delegation KDC option to cname-in-addl-tkt (client name in additional ticket).
This commit is contained in:
@@ -2439,5 +2439,5 @@ _kdc_is_anon_request(const KDC_REQ_BODY *b)
|
||||
version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy
|
||||
requests will have a second ticket; don't consider those anonymous */
|
||||
return (b->kdc_options.request_anonymous ||
|
||||
(b->kdc_options.constrained_delegation && !b->additional_tickets));
|
||||
(b->kdc_options.cname_in_addl_tkt && !b->additional_tickets));
|
||||
}
|
||||
|
@@ -355,7 +355,7 @@ KDCOptions ::= BIT STRING {
|
||||
allow-postdate(5),
|
||||
postdated(6),
|
||||
renewable(8),
|
||||
constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
|
||||
cname-in-addl-tkt(14), -- ms extension
|
||||
canonicalize(15),
|
||||
request-anonymous(16),
|
||||
disable-transited-check(26),
|
||||
|
@@ -558,7 +558,7 @@ get_cred_kdc(krb5_context context,
|
||||
out_creds->times.endtime = in_creds->times.endtime;
|
||||
|
||||
/* XXX should do better testing */
|
||||
if (flags.b.constrained_delegation || impersonate_principal)
|
||||
if (flags.b.cname_in_addl_tkt || impersonate_principal)
|
||||
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
|
||||
if (flags.b.request_anonymous)
|
||||
eflags |= EXTRACT_TICKET_MATCH_ANON;
|
||||
@@ -1062,7 +1062,7 @@ get_cred_kdc_referral(krb5_context context,
|
||||
char *referral_realm;
|
||||
|
||||
/* Use cache if we are not doing impersonation or contrained deleg */
|
||||
if (impersonate_principal == NULL || flags.b.constrained_delegation) {
|
||||
if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
|
||||
krb5_cc_clear_mcred(&mcreds);
|
||||
mcreds.server = referral.server;
|
||||
krb5_timeofday(context, &mcreds.times.endtime);
|
||||
@@ -1645,7 +1645,7 @@ next_rule:
|
||||
if (options & KRB5_GC_NO_TRANSIT_CHECK)
|
||||
flags.b.disable_transited_check = 1;
|
||||
if (options & KRB5_GC_CONSTRAINED_DELEGATION)
|
||||
flags.b.constrained_delegation = 1;
|
||||
flags.b.cname_in_addl_tkt = 1;
|
||||
if (options & KRB5_GC_ANONYMOUS)
|
||||
flags.b.request_anonymous = 1;
|
||||
|
||||
|
Reference in New Issue
Block a user