232     /* If the "server" principal in the ticket is not something
242     if ((krb5_princ_realm(kdc_context, apreq->ticket->server)->length !=
244 	memcmp(krb5_princ_realm(kdc_context, apreq->ticket->server)->data,
278 				      apreq->ticket->server, 
298 						  apreq, apreq->ticket->server,
389     krb5_db_entry 	  server;
396     if ((retval = krb5_db_get_principal(kdc_context, ticket->server,
397 					&server, &nprincs,
402 	krb5_db_free_principal(kdc_context, &server, nprincs);
407 	krb5_db_free_principal(kdc_context, &server, nprincs);
408 	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
410 	    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
416     retval = krb5_dbe_find_enctype(kdc_context, &server,
433     krb5_db_free_principal(kdc_context, &server, nprincs);
499  *                   the realm of the server listed in the ticket
513  *            krb5_principal tgs    Name of ticket granting server
519  *            krb5_principal server The name of the requested server.
521  *                                  ticket granting server.
569 		 krb5_principal server)
641           (krb5_princ_realm(kdc_context, server)->length == strlen(realm) &&
642            !strncmp(krb5_princ_realm(kdc_context, server)->data, realm, strlen(realm)));
850 		    krb5_db_entry server, krb5_timestamp kdc_time,
863     /* The client's password must not be expired, unless the server is
866 	!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
885     /* The server must not be expired */
886     if (server.expiration && server.expiration < kdc_time) {
896 	!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
901     /* Client and server must allow postdating tickets */
905 	 isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED))) {
910     /* Client and server must allow forwardable tickets */
913 	 isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) {
918     /* Client and server must allow renewable tickets */
921 	 isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE))) {
926     /* Client and server must allow proxiable tickets */
929 	 isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) {
940     /* Check to see if server is locked out */
941     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
946     /* Check to see if server is allowed to be a service */
947     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
955     errcode = against_local_policy_as(request, server, client,
1123 validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server,
1135     /* Check to see if server has expired */
1136     if (server.expiration && server.expiration < kdc_time) {
1142      * Verify that the server principal in authdat->ticket is correct
1147 	if (!krb5_principal_compare(kdc_context, ticket->server, request->server)) {
1158 	 * Realm A is the "server realm"; the realm of the
1159 	 * server of the requested ticket must match this realm.
1167 	if (krb5_princ_size(kdc_context, ticket->server) != 2) {
1172 	if (!krb5_is_tgs_principal(ticket->server)) {
1176 	/* ...and that the second component matches the server realm... */
1177 	if ((krb5_princ_size(kdc_context, ticket->server) <= 1) ||
1178 	    (krb5_princ_component(kdc_context, ticket->server, 1)->length !=
1179 	     krb5_princ_realm(kdc_context, request->server)->length) ||
1180 	    memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data,
1181 		   krb5_princ_realm(kdc_context, request->server)->data,
1182 		   krb5_princ_realm(kdc_context, request->server)->length)) {
1191 	if (isflagset(server.attributes, KRB5_KDB_DISALLOW_TGT_BASED)) {
1239 	(!request->server->data ||
1240 	 request->server->data[0].length != KRB5_TGS_NAME_SIZE ||
1241 	 memcmp(request->server->data[0].data, KRB5_TGS_NAME,
1249 	isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) {
1256 	isflagset(server.attributes, KRB5_KDB_DISALLOW_RENEWABLE)) {
1263 	isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE)) {
1270 	isflagset(server.attributes, KRB5_KDB_DISALLOW_POSTDATED)) {
1277 	isflagset(server.attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) {
1283     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
1289     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
1330 	if (!krb5_principal_compare(kdc_context, request->second_ticket[st_idx]->server,
1339     if (isflagset(server.attributes, KRB5_KDB_REQUIRES_HW_AUTH) &&
1346     if (isflagset(server.attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
1355     errcode = against_local_policy_tgs(request, server, ticket, status);
1428  * requested, and what the KDC and the application server can support.
1431 select_session_keytype(krb5_context context, krb5_db_entry *server,
1443 	if (dbentry_supports_enctype(context, server, ktype[i]))

Indexes created Tue Jul 24 14:28:13 CEST 2018