CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag

[amitay/samba.git] / source4 / kdc / mit_samba.c

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 54dcd545ea12df70a0a257ae7c3e6719879e86cb..5a4f6e73e97cb914c1074bfd5e24b9146f9b92c3 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,6 +304,11 @@ fetch_referral_principal:
 
        sdb_free_entry(&sentry);
 
+       if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+               kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+       }
+
 done:
        krb5_free_principal(ctx->context, referral_principal);
        referral_principal = NULL;