Chris Hecker
2018-07-23 11:53:43 UTC
Hi, I'm finally getting around to porting my old 1.9 patches to the
latest krb5 source code, and here's the first one...I'll do this as a
pull request, but figured maybe it wanted some discussion? Or do you
prefer the discussion to happen on the pull request?
Anyway, the kdc checks if KRB5_KDB_DISALLOW_SVR is set, and if it is,
then it errors with a KDC_ERR_MUST_USE_USER2USER, except it doesn't
actually handle the case where I am actually using u2u, so this fixes that.
I haven't tested it on 1.16 yet (will this week), but it has had 5 years
of testing on 1.9! :)
I'm also going to submit my old patch that disables ticket issuing if
allow_tix has been turned off, as discussed here years ago, and with
that I fixed the db_entry pass-by-value stuff in kdc_util.c, which I
found was listed here: https://k5wiki.kerberos.org/wiki/Cleanups so I
assume you'd be interested in those changes as well.
Chris
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..0356a47 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -733,7 +733,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
}
/* Check to see if server is allowed to be a service */
- if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
+ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
+ !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
*status = "SERVICE NOT ALLOWED";
return(KDC_ERR_MUST_USE_USER2USER);
}
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
latest krb5 source code, and here's the first one...I'll do this as a
pull request, but figured maybe it wanted some discussion? Or do you
prefer the discussion to happen on the pull request?
Anyway, the kdc checks if KRB5_KDB_DISALLOW_SVR is set, and if it is,
then it errors with a KDC_ERR_MUST_USE_USER2USER, except it doesn't
actually handle the case where I am actually using u2u, so this fixes that.
I haven't tested it on 1.16 yet (will this week), but it has had 5 years
of testing on 1.9! :)
I'm also going to submit my old patch that disables ticket issuing if
allow_tix has been turned off, as discussed here years ago, and with
that I fixed the db_entry pass-by-value stuff in kdc_util.c, which I
found was listed here: https://k5wiki.kerberos.org/wiki/Cleanups so I
assume you'd be interested in those changes as well.
Chris
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..0356a47 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -733,7 +733,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
}
/* Check to see if server is allowed to be a service */
- if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
+ if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
+ !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
*status = "SERVICE NOT ALLOWED";
return(KDC_ERR_MUST_USE_USER2USER);
}
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev