HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation...

A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 14db1f1412bea49e71ae5ef36a98dfba8b4ecb89..e4fdb144ebadad2c279bfb3ca34e2ad835158187 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -525,15 +525,15 @@ check_constrained_delegation(krb5_context context,
        return ret;
     }
 
-    /* if client delegates to itself, that ok */
-    if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
-       return 0;
-
     if (clientdb->hdb_check_constrained_delegation) {
        ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
        if (ret == 0)
            return 0;
     } else {
+       /* if client delegates to itself, that ok */
+       if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
+           return 0;
+
        ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
        if (ret) {
            krb5_clear_error_message(context);