summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRalph Boehme <slow@samba.org>2016-04-24 07:39:25 +0200
committerAndreas Schneider <asn@cryptomilk.org>2016-04-25 10:35:14 +0200
commit20dc68050df7b1b0c9d06f8251183a0a6283fcaf (patch)
tree5ada69954f527bbe0a4e8f56d96d7062af4cabbb
parent957741ce65f56e7f1a76111a7de1c4f00a7659f7 (diff)
downloadsamba-20dc68050df7b1b0c9d06f8251183a0a6283fcaf.tar.gz
s4/heimdal: allow SPNs in AS-REQ
This allows testing keytabs with service tickets. Windows KDCs allow this as well. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
-rw-r--r--source4/heimdal/kdc/kerberos5.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 7e7aefd21e5..3762abe0120 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -762,9 +762,9 @@ kdc_check_flags(krb5_context context,
return KRB5KDC_ERR_POLICY;
}
- if(!client->flags.client){
+ if (!is_as_req && !client->flags.client){
kdc_log(context, config, 0,
- "Principal may not act as client -- %s", client_name);
+ "Principal may only act as client in AS-REQ -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
@@ -1055,7 +1055,7 @@ _kdc_as_rep(krb5_context context,
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, NULL,
+ HDB_F_GET_ANY | flags, NULL,
&clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);