s4:kdc: Implement new Microsoft forwardable flag behavior

Allow delegation to any target if we have delegations set up, but the target is
not specified.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 8b18fdb0ff9ca3e79991b8ac1e2f12507aced164..c0c9c7045b55aae869dcad35f9cbbfee0676ab50 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -429,12 +429,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # S4U tests
 #
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 77c0c0e47468dc9c7ccced0dfcaa6bdb14ddb2d1..d280aa02902dd1671490a519f3d54f0103026b3e 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2736,6 +2736,22 @@ samba_kdc_check_s4u2proxy(krb5_context context,
                return ret;
        }
 
+       el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
+       if (el == NULL) {
+               goto bad_option;
+       }
+
+       /*
+        * This is the Microsoft forwardable flag behavior.
+        *
+        * If the proxy (target) principal is NULL, and we have any authorized
+        * delegation target, allow to forward.
+        */
+       if (el->num_values >= 0 && target_principal == NULL) {
+               return 0;
+       }
+
+
        /*
         * The main heimdal code already checked that the target_principal
         * belongs to the same realm as the client.
@@ -2766,11 +2782,6 @@ samba_kdc_check_s4u2proxy(krb5_context context,
                return ret;
        }
 
-       el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
-       if (el == NULL) {
-               goto bad_option;
-       }
-
        val = data_blob_string_const(target_principal_name);
 
        for (i=0; i<el->num_values; i++) {