Check cross-realm TGT name for RBCD requests

ticket: 8865 (new) tags: pullup target_version: 1.18
krb5 · Jan 13, 2020 · deb64d5 · deb64d5
1 parent f281f98
commit deb64d5
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
@@ -1699,11 +1699,13 @@ check_rbcd_policy(kdc_realm_t *kdc_active_realm, unsigned int flags,
     if (isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM)) {
         /*
          * Check that the proxy server is local, that the second ticket is a
-         * cross realm TGT, and that the second ticket client matches the
-         * header ticket client.
+         * cross-realm TGT for us, and that the second ticket client matches
+         * the header ticket client.
          */
         if (isflagset(flags, KRB5_KDB_FLAG_ISSUING_REFERRAL) ||
             !is_cross_tgs_principal(stkt_server->princ) ||
+            !krb5_principal_compare_any_realm(kdc_context, stkt_server->princ,
+                                              tgs_server) ||
             !krb5_principal_compare(kdc_context, stkt_client_princ,
                                     header_client_princ)) {
             return KRB5KDC_ERR_BADOPTION;