svn commit: samba r11541 - in
branches/SAMBA_4_0/source/heimdal/lib/gssapi: .
abartlet at samba.org
abartlet at samba.org
Mon Nov 7 02:24:51 GMT 2005
Author: abartlet
Date: 2005-11-07 02:24:50 +0000 (Mon, 07 Nov 2005)
New Revision: 11541
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11541
Log:
More logical (I think...) delegation semantics.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c 2005-11-07 02:19:19 UTC (rev 11540)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c 2005-11-07 02:24:50 UTC (rev 11541)
@@ -407,20 +407,24 @@
ap_options = 0;
/*
- * If the realm policy approves a delegation, lets check local
- * policy if the credentials should be delegated, defafult to
- * false.
+ * The KDC may have issued us a service ticket marked NOT
+ * ok-as-delegate. We may still wish to force the matter, and to
+ * allow this we check a per-realm gssapi [appdefaults] config
+ * option. If ok-as-delegate in the config file is set to TRUE
+ * (default FALSE) and our caller has so requested, we will still
+ * attempt to forward the ticket.
+ *
+ * Otherwise, strip the GSS_C_DELEG_FLAG (so we don't attempt a
+ * delegation)
*/
- if (cred->flags.b.ok_as_delegate) {
- krb5_boolean delegate = FALSE;
+ if (!cred->flags.b.ok_as_delegate) {
+ krb5_boolean delegate;
- _gss_check_compat(NULL, target_name, "ok-as-delegate",
- &delegate, TRUE);
krb5_appdefault_boolean(gssapi_krb5_context,
"gssapi", target_name->realm,
- "ok-as-delegate", delegate, &delegate);
- if (delegate)
- req_flags |= GSS_C_DELEG_FLAG;
+ "ok-as-delegate", FALSE, &delegate);
+ if (!delegate)
+ req_flags &= ~GSS_C_DELEG_FLAG;
}
if (req_flags & GSS_C_DELEG_FLAG) {
More information about the samba-cvs
mailing list