HEIMDAL:kdc: make it possible to disable the principal based referral detection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/kdc/default_config.c b/kdc/default_config.c
index b168175f195011404884569c1d688fb0b3dc4fc6..c7117b6271e20189f532ba475723652d6103075e 100644 (file)
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -92,6 +92,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->preauth_use_strongest_session_key = FALSE;
     c->svc_use_strongest_session_key = FALSE;
     c->use_strongest_server_key = TRUE;
+    c->autodetect_referrals = TRUE;
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
     c->allow_anonymous = FALSE;

diff --git a/kdc/kdc.h b/kdc/kdc.h
index ef6ba4440bd0ad929eeb9c4455b4415288f757fc..a3deeef8118941799c078ff27cb881b6de4c4819 100644 (file)
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -74,6 +74,8 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean strict_nametypes;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean autodetect_referrals;
+
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 1e0e136e8a373057c77207602f3946652463184b..82170f4c9d81224c92b4ae20fa2987a803ae0521 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1739,7 +1739,9 @@ server_lookup:
        Realm req_rlm;
        krb5_realm *realms;
 
-       if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+       if (!config->autodetect_referrals) {
+               /* noop */
+       } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
             if (capath == NULL) {
                 /* With referalls, hierarchical capaths are always enabled */
                 ret2 = _krb5_find_capath(context, tgt->crealm, our_realm,