svn commit: samba r11541 - in branches/SAMBA_4_0/source/heimdal/lib/gssapi: .

[abartlet at samba.org]

Author: abartlet
Date: 2005-11-07 02:24:50 +0000 (Mon, 07 Nov 2005)
New Revision: 11541

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11541

Log:
More logical (I think...) delegation semantics.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c	2005-11-07 02:19:19 UTC (rev 11540)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c	2005-11-07 02:24:50 UTC (rev 11541)
@@ -407,20 +407,24 @@
 		ap_options = 0;
 
 		/* 
-		 * If the realm policy approves a delegation, lets check local
-		 * policy if the credentials should be delegated, defafult to
-		 * false.
+		 * The KDC may have issued us a service ticket marked NOT
+		 * ok-as-delegate.  We may still wish to force the matter, and to
+		 * allow this we check a per-realm gssapi [appdefaults] config
+		 * option.  If ok-as-delegate in the config file is set to TRUE
+		 * (default FALSE) and our caller has so requested, we will still
+		 * attempt to forward the ticket.
+		 *
+		 * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a
+		 * delegation)
 		 */
-		if (cred->flags.b.ok_as_delegate) {
-			krb5_boolean delegate = FALSE;
+		if (!cred->flags.b.ok_as_delegate) {
+			krb5_boolean delegate;
 			
-			_gss_check_compat(NULL, target_name, "ok-as-delegate",
-					  &delegate, TRUE);
 			krb5_appdefault_boolean(gssapi_krb5_context,
 						"gssapi", target_name->realm,
-						"ok-as-delegate", delegate, &delegate);
-			if (delegate)
-				req_flags |= GSS_C_DELEG_FLAG;
+						"ok-as-delegate", FALSE, &delegate);
+			if (!delegate)
+				req_flags &= ~GSS_C_DELEG_FLAG;
 		}
 
 		if (req_flags & GSS_C_DELEG_FLAG) {