Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Stop modifying TGS requests for referrals
It is no longer necessary to modify request->server when we receive a referral. The uses of request->server break down as follows: * Matching against previously issued tickets (e.g. for renewals). We now explicitly disallow referrals for requests where we need to do that. * Using only the realm (e.g. for transited checking). Referrals are cross-realm TGS entries within the same realm as the requested server principal, so this does not change. * Comparing to a local TGS principal (for restrict_anonymous_to_tgt enforcement). Local TGS principals are not treated as referrals, so the sense of this comparison will not change if we use the original request. * Setting the sname and realm fields of a KRB-ERROR response. RFC 4120 and 6806 do not specify what we should put here for referrals or aliases and we are not aware of any uses of this field by clients, so putting the requested server principal here should be okay.
- Loading branch information