svn rev #22281: trunk/src/ include/ kadmin/cli/ kdc/ lib/kadm5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Mon Apr 27 11:42:24 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22281
Commit By: ghudson
Log Message:
ticket: 5596
Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin
support for the flag. In the KDC, remove the restriction on returning
the flag on cross-realm TGTs since there is now a defined meaning for
that (it allows ok-as-delegate to be honored on the foreign realm's
service tickets).
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/include/kdb_ext.h
U trunk/src/kadmin/cli/kadmin.M
U trunk/src/kadmin/cli/kadmin.c
U trunk/src/kdc/do_tgs_req.c
U trunk/src/lib/kadm5/str_conv.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/include/kdb.h 2009-04-27 15:42:23 UTC (rev 22281)
@@ -95,6 +95,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/include/kdb_ext.h 2009-04-27 15:42:23 UTC (rev 22281)
@@ -31,8 +31,6 @@
#ifndef KRB5_KDB5_EXT__
#define KRB5_KDB5_EXT__
-/* Can be delegated as in TicketFlags */
-#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
/* Allowed to use protocol transition */
#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000
/* Service does not require authorization data */
Modified: trunk/src/kadmin/cli/kadmin.M
===================================================================
--- trunk/src/kadmin/cli/kadmin.M 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/kadmin/cli/kadmin.M 2009-04-27 15:42:23 UTC (rev 22281)
@@ -341,6 +341,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
Modified: trunk/src/kadmin/cli/kadmin.c
===================================================================
--- trunk/src/kadmin/cli/kadmin.c 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/kadmin/cli/kadmin.c 2009-04-27 15:42:23 UTC (rev 22281)
@@ -71,7 +71,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -91,6 +92,11 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "UNKNOWN_0x00010000", /* 0x00010000 */
+ "UNKNOWN_0x00020000", /* 0x00020000 */
+ "UNKNOWN_0x00040000", /* 0x00040000 */
+ "UNKNOWN_0x00080000", /* 0x00080000 */
+ "OK_AS_DELEGATE", /* 0x00100000 */
};
char *getenv();
@@ -1117,6 +1123,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1133,6 +1140,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/kdc/do_tgs_req.c 2009-04-27 15:42:23 UTC (rev 22281)
@@ -417,11 +417,8 @@
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
- if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
- !is_referral) {
- /* Ensure that we are not returning a referral */
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
- }
/*
* Fix header_ticket's starttime; if it's zero, fill in the
Modified: trunk/src/lib/kadm5/str_conv.c
===================================================================
--- trunk/src/lib/kadm5/str_conv.c 2009-04-25 09:36:11 UTC (rev 22280)
+++ trunk/src/lib/kadm5/str_conv.c 2009-04-27 15:42:23 UTC (rev 22281)
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
More information about the cvs-krb5
mailing list