diff options
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/do_tgs_req.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 7ea3975dc..057a44250 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -466,11 +466,18 @@ tgt_again: isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); /* + * Forwardable flag is propagated along referral path. + */ + else if (is_referral && + !isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE)) + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + /* * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting * S4U2Self in order for forwardable tickets to be returned. */ else if (!is_referral && - !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE) || + !isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } } |