mit-kdc: Explicitly reject S4U requests

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184

diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 2eec496fa92a3c328cfd0facecdc56132d5d588c..9197551ed6198dd28ba3b9b39797926aeff2cf8c 100644 (file)
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -334,6 +334,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
        krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
 #endif
 
+       /* FIXME: We don't support S4U yet */
+       if (flags & KRB5_KDB_FLAGS_S4U) {
+               return KRB5_KDB_DBTYPE_NOSUP;
+       }
+
        is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
 
        if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {