kdc u2u patch, kind of a bugfix...

Chris Hecker checker at d6.com
Mon Jul 23 07:53:43 EDT 2018

Hi, I'm finally getting around to porting my old 1.9 patches to the 
latest krb5 source code, and here's the first one...I'll do this as a 
pull request, but figured maybe it wanted some discussion?  Or do you 
prefer the discussion to happen on the pull request?

Anyway, the kdc checks if KRB5_KDB_DISALLOW_SVR is set, and if it is, 
then it errors with a KDC_ERR_MUST_USE_USER2USER, except it doesn't 
actually handle the case where I am actually using u2u, so this fixes that.

I haven't tested it on 1.16 yet (will this week), but it has had 5 years 
of testing on 1.9!  :)

I'm also going to submit my old patch that disables ticket issuing if 
allow_tix has been turned off, as discussed here years ago, and with 
that I fixed the db_entry pass-by-value stuff in kdc_util.c, which I 
found was listed here: https://k5wiki.kerberos.org/wiki/Cleanups so I 
assume you'd be interested in those changes as well.


diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..0356a47 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -733,7 +733,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm,

      /* Check to see if server is allowed to be a service */
-    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
+    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
+        !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
          *status = "SERVICE NOT ALLOWED";

More information about the krbdev mailing list