From 539f2cdc51effbc42aca9be4fd33aa73588695d9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 13 Jan 2020 23:42:54 +0100
Subject: [PATCH 1/3] heimdal: apply DelgationNotAllowed in TGS request

Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
 source4/heimdal/kdc/krb5tgs.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index ee3ac3d8f53..bf913a662b6 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -866,6 +866,11 @@ tgs_make_reply(krb5_context context,
     et.flags.anonymous   = tgt->flags.anonymous;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
 
+    if (!server->entry.flags.forwardable)
+        et.flags.forwardable = 0;
+    if (!server->entry.flags.proxiable)
+        et.flags.proxiable = 0;
+
     if(rspac->length) {
 	/*
 	 * No not need to filter out the any PAC from the
-- 
2.21.1


From 1d4ed33756536f9cece7a32302138346ef3eb1ce Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jan 2020 13:16:02 +0100
Subject: [PATCH 2/3] db-glue.c: set forwardable on cross-tgt tickets

we should also set ok_as_delegate, but that's commented out for now.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
 source4/kdc/db-glue.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 023ae7b580d..4603647b5e0 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1556,6 +1556,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 
 	entry_ex->entry.max_renew = NULL;
 
+	/* TODO: per MS-KILE 3.3.5.7.5 we should remove ok-as-delegate if
+	 * NO_TGT_DELEGATION flag is set in the trustAttributes.
+	 *
+	 * Otherwise to behave like Windows we should set ok-as-delegate,
+	 * however since we never allowed it so i'm leaving commented out. */
+	//entry_ex->entry.flags.ok_as_delegate = 1;
+	entry_ex->entry.flags.forwardable = 1;
+
 	ret = samba_kdc_sort_encryption_keys(entry_ex);
 	if (ret != 0) {
 		krb5_clear_error_message(context);
-- 
2.21.1


From bfe1ffe2ab09f5acd1fe112ece5ae98005308932 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jan 2020 13:18:10 +0100
Subject: [PATCH 3/3] Finally remove the hack in our kdb module!

Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
 source4/kdc/mit_samba.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 5a4f6e73e97..54dcd545ea1 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,11 +304,6 @@ fetch_referral_principal:
 
 	sdb_free_entry(&sentry);
 
-	if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
-		kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
-		kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
-	}
-
 done:
 	krb5_free_principal(ctx->context, referral_principal);
 	referral_principal = NULL;
-- 
2.21.1