The Samba-Bugzilla – Attachment 15730 Details for
Bug 14233
Follow-up to bug 14187: DelegationNotAllowed on server account
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
full patch
nd_server.patch (text/plain), 2.94 KB, created by
Isaac Boukris
on 2020-01-14 12:53:14 UTC
(
hide
)
Description:
full patch
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2020-01-14 12:53:14 UTC
Size:
2.94 KB
patch
obsolete
>From 539f2cdc51effbc42aca9be4fd33aa73588695d9 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 13 Jan 2020 23:42:54 +0100 >Subject: [PATCH 1/3] heimdal: apply DelgationNotAllowed in TGS request > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/heimdal/kdc/krb5tgs.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index ee3ac3d8f53..bf913a662b6 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -866,6 +866,11 @@ tgs_make_reply(krb5_context context, > et.flags.anonymous = tgt->flags.anonymous; > et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; > >+ if (!server->entry.flags.forwardable) >+ et.flags.forwardable = 0; >+ if (!server->entry.flags.proxiable) >+ et.flags.proxiable = 0; >+ > if(rspac->length) { > /* > * No not need to filter out the any PAC from the >-- >2.21.1 > > >From 1d4ed33756536f9cece7a32302138346ef3eb1ce Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Tue, 14 Jan 2020 13:16:02 +0100 >Subject: [PATCH 2/3] db-glue.c: set forwardable on cross-tgt tickets > >we should also set ok_as_delegate, but that's commented out for now. > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/kdc/db-glue.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 023ae7b580d..4603647b5e0 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1556,6 +1556,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > > entry_ex->entry.max_renew = NULL; > >+ /* TODO: per MS-KILE 3.3.5.7.5 we should remove ok-as-delegate if >+ * NO_TGT_DELEGATION flag is set in the trustAttributes. >+ * >+ * Otherwise to behave like Windows we should set ok-as-delegate, >+ * however since we never allowed it so i'm leaving commented out. */ >+ //entry_ex->entry.flags.ok_as_delegate = 1; >+ entry_ex->entry.flags.forwardable = 1; >+ > ret = samba_kdc_sort_encryption_keys(entry_ex); > if (ret != 0) { > krb5_clear_error_message(context); >-- >2.21.1 > > >From bfe1ffe2ab09f5acd1fe112ece5ae98005308932 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Tue, 14 Jan 2020 13:18:10 +0100 >Subject: [PATCH 3/3] Finally remove the hack in our kdb module! > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/kdc/mit_samba.c | 5 ----- > 1 file changed, 5 deletions(-) > >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 5a4f6e73e97..54dcd545ea1 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -304,11 +304,6 @@ fetch_referral_principal: > > sdb_free_entry(&sentry); > >- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { >- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; >- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; >- } >- > done: > krb5_free_principal(ctx->context, referral_principal); > referral_principal = NULL; >-- >2.21.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15730">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14233
:
15726
|
15730
|
15744
|
15750