Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kdc: handle kdc_options bit 14 confusion
Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7 ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615a("Do not set anonymous flag in S4U2Proxy request"). 014e318 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9
- Loading branch information