lib/krb5: add [libdefaults] acceptor_skip_transit_check and KRB5_VERIFY_AP_REQ_SKIP_T...

In active directory a domain member replies on (trusts) the [K]DCs
of the domain. It's the job of the [K]DCs to only generate useful
tickets as they know about the trust topology.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index 3950bd30a4ec3a22b5384a506613d1cc67feef4b..182de05e588f841f7f94d8c65725f0b81e583531 100644 (file)
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -440,6 +440,7 @@ typedef union {
 
 #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID      (1 << 0)
 #define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS                (1 << 1)
+#define KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK        (1 << 2)
 
 #define KRB5_GC_CACHED                 (1U << 0)
 #define KRB5_GC_USER_USER              (1U << 1)

diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index d5f99c603a13323acce56e65b34db83049787752..3715ab782f41c76578855f15b89be112382b1f4b 100644 (file)
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -203,6 +203,7 @@ krb5_decrypt_ticket(krb5_context context,
     {
        krb5_timestamp now;
        time_t start = t.authtime;
+       krb5_boolean skip_transit_check = FALSE;
 
        krb5_timeofday (context, &now);
        if(t.starttime)
@@ -220,7 +221,20 @@ krb5_decrypt_ticket(krb5_context context,
            return KRB5KRB_AP_ERR_TKT_EXPIRED;
        }
 
-       if(!t.flags.transited_policy_checked) {
+       if(t.flags.transited_policy_checked) {
+           skip_transit_check = TRUE;
+       } else if(flags & KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK) {
+           skip_transit_check = TRUE;
+       } else {
+           skip_transit_check = krb5_config_get_bool_default(context,
+                                                             NULL,
+                                                             FALSE,
+                                                             "libdefaults",
+                                                             "acceptor_skip_transit_check",
+                                                              NULL);
+       }
+
+       if (!skip_transit_check) {
            ret = check_transited(context, ticket, &t);
            if(ret) {
                free_EncTicketPart(&t);