summaryrefslogtreecommitdiffstats
path: root/src/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc')
-rw-r--r--src/kdc/do_tgs_req.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 7ea3975dc..057a44250 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -466,11 +466,18 @@ tgt_again:
isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
+ * Forwardable flag is propagated along referral path.
+ */
+ else if (is_referral &&
+ !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ /*
* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
- !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) ||
+ !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
generated by cgit (git 2.34.1) at 2024-10-09 20:20:57 +0000