From d28785e212a2451d399d5f4f0811cfbe57c59b5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 2 Nov 2005 11:52:49 +0000
Subject: [PATCH] Change sematics of ok-as-delegate to match windows if
 [gssapi]realm/ok-as-delegate=true is set, otherwise keep old sematics.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16283 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/init_sec_context.c      | 17 ++++++++---------
 lib/gssapi/krb5/init_sec_context.c | 17 ++++++++---------
 2 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c
index 05614a3f0..0f512ef6d 100644
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -332,20 +332,19 @@ init_auth
     }
     
     /* 
-     * If the realm policy approves a delegation, lets check local
-     * policy if the credentials should be delegated, defafult to
-     * false.
+     * If the credential doesn't have ok-as-delegate, check what local
+     * policy say about ok-as-delegate, default is FALSE that makes
+     * code ignore all this, but if its TRUE, strip of the
+     * GSS_C_DELEG_FLAG.
      */
-    if (cred->flags.b.ok_as_delegate) {
-	krb5_boolean delegate = FALSE;
+    if (!cred->flags.b.ok_as_delegate) {
+	krb5_boolean delegate;
     
-	_gss_check_compat(NULL, target_name, "ok-as-delegate",
-			  &delegate, TRUE);
 	krb5_appdefault_boolean(gssapi_krb5_context,
 				"gssapi", target_name->realm,
-				"ok-as-delegate", delegate, &delegate);
+				"ok-as-delegate", FALSE, &delegate);
 	if (delegate)
-	    req_flags |= GSS_C_DELEG_FLAG;
+	    req_flags &= ~GSS_C_DELEG_FLAG;
     }
 
     flags = 0;
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 05614a3f0..0f512ef6d 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -332,20 +332,19 @@ init_auth
     }
     
     /* 
-     * If the realm policy approves a delegation, lets check local
-     * policy if the credentials should be delegated, defafult to
-     * false.
+     * If the credential doesn't have ok-as-delegate, check what local
+     * policy say about ok-as-delegate, default is FALSE that makes
+     * code ignore all this, but if its TRUE, strip of the
+     * GSS_C_DELEG_FLAG.
      */
-    if (cred->flags.b.ok_as_delegate) {
-	krb5_boolean delegate = FALSE;
+    if (!cred->flags.b.ok_as_delegate) {
+	krb5_boolean delegate;
     
-	_gss_check_compat(NULL, target_name, "ok-as-delegate",
-			  &delegate, TRUE);
 	krb5_appdefault_boolean(gssapi_krb5_context,
 				"gssapi", target_name->realm,
-				"ok-as-delegate", delegate, &delegate);
+				"ok-as-delegate", FALSE, &delegate);
 	if (delegate)
-	    req_flags |= GSS_C_DELEG_FLAG;
+	    req_flags &= ~GSS_C_DELEG_FLAG;
     }
 
     flags = 0;