HEIMDAL:kdc: make it possible to disable the principal based referral detection
authorStefan Metzmacher <metze@samba.org>
Sun, 29 Jan 2017 16:19:14 +0000 (17:19 +0100)
committerAndreas Schneider <asn@cryptomilk.org>
Fri, 10 Mar 2017 10:37:22 +0000 (11:37 +0100)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
source4/heimdal/kdc/default_config.c
source4/heimdal/kdc/kdc.h
source4/heimdal/kdc/krb5tgs.c

index 6fbf5fdae156a1d2a16b33720410284070db0eb3..0129c5d3c548f340bd984f71fc2cca6c30866d7e 100644 (file)
@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->preauth_use_strongest_session_key = FALSE;
     c->tgs_use_strongest_session_key = FALSE;
     c->use_strongest_server_key = TRUE;
+    c->autodetect_referrals = TRUE;
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
     c->allow_anonymous = FALSE;
index 9d52fd4c2ec16cbde0f695e039e4b459e3d074c4..16263d6919bdec57c80b95d670206b1d0bb0ccaa 100644 (file)
@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean allow_anonymous;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean autodetect_referrals;
+
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;
index 334a6eb1dc88859e41224db42c4e480758f28bff..a888788bb6fd60e66bf45be033bcb9f1aa5fef84 100644 (file)
@@ -1660,7 +1660,9 @@ server_lookup:
        Realm req_rlm;
        krb5_realm *realms;
 
-       if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+       if (!config->autodetect_referrals) {
+               /* noop */
+       } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
            if(nloop++ < 2) {
                new_rlm = find_rpath(context, tgt->crealm, req_rlm);
                if(new_rlm) {