HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use...

author Stefan Metzmacher <metze@samba.org>

Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)

committer Stefan Metzmacher <metze@samba.org>

Fri, 5 Jan 2024 12:40:14 +0000 (13:40 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)
committer Stefan Metzmacher <metze@samba.org>
Fri, 5 Jan 2024 12:40:14 +0000 (13:40 +0100)
diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c

index fda5a37b1c6e61d9984b1bf0ae5e64ddabcb7f58..714190fdde10930c901c6db4787b982b831970d9 100644 (file)
--- a/third_party/heimdal/kdc/mssfu.c
+++ b/third_party/heimdal/kdc/mssfu.c
@@ -513,6 +513,15 @@ validate_constrained_delegation(astgs_request_t r)
             goto out;
      }
  
+    if (b->enc_authorization_data && r->rk_is_subkey == 0) {
+       krb5_free_keyblock_contents(r->context, &r->enc_ad_key);
+       ret = krb5_copy_keyblock_contents(r->context,
+                                         &evidence_tkt.key,
+                                         &r->enc_ad_key);
+       if (ret)
+           goto out;
+    }
+
      kdc_log(r->context, r->config, 4, "constrained delegation for %s "
             "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
author	Stefan Metzmacher <metze@samba.org>
	Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Fri, 5 Jan 2024 12:40:14 +0000 (13:40 +0100)