[16144] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8747] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Oct 12 21:58:26 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8747@krbdev.mit.edu>
Message-ID: <rt-8747-48895.13.3230239300271@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8747'":;
Date: Fri, 12 Oct 2018 21:58:10 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


Allow referrals for cross-realm S4U2Self requests

According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests.  (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)

Remove the S4U2Self referral check in process_tgs_req().  Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.

[ghudson@mit.edu: rewrote commit message; adjusted style slightly]

https://github.com/krb5/krb5/commit/bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Branch: master
 src/kdc/do_tgs_req.c |   12 +++---------
 src/kdc/kdc_util.c   |   11 +++++++++++
 src/kdc/kdc_util.h   |    2 ++
 3 files changed, 16 insertions(+), 9 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post