krb5/krb5-trunk-7046.patch

commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date:   Wed Dec 7 19:38:13 2011 +0000

    ticket: 7046
    subject: Allow S4U2Proxy delegated credentials to be saved
    
    The initial implementation of client-side S4U2Proxy support did not
    allow delegated proxy credentials to be stored (gss_store_cred would
    error out, and gss_krb5_copy_ccache would generate a non-working
    cache).  To make this work, we save the impersonator name in a cache
    config variable and in a cred structure field (replacing the
    proxy_cred flag), and make the default principal of the proxy cache
    the subject principal as the caller would expect for a regular
    delegated cred.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 514e2ea..b25c159 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_V4_INSTANCE_CONVERT         "v4_instance_convert"
 #define KRB5_CONF_V4_REALM                    "v4_realm"
 #define KRB5_CONF_ASTERISK                    "*"
+
+/* Cache configuration variables */
 #define KRB5_CONF_FAST_AVAIL                  "fast_avail"
+#define KRB5_CONF_PROXY_IMPERSONATOR          "proxy_impersonator"
 
 /* Error codes used in KRB_ERROR protocol messages.
    Return values of library routines are based on a different error table
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c815b35..c08e059 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
     return 0;
 }
 
+/* If an impersonator config entry exists in ccache, set *impersonator_out to
+ * the parsed principal.  Otherwise set *impersonator_out to NULL. */
+static krb5_error_code
+get_impersonator(krb5_context context, krb5_ccache ccache,
+                 krb5_principal *impersonator_out)
+{
+    krb5_error_code code;
+    krb5_data data = empty_data(), data0 = empty_data();
+
+    *impersonator_out = NULL;
+
+    code = krb5_cc_get_config(context, ccache, NULL,
+                              KRB5_CONF_PROXY_IMPERSONATOR, &data);
+    if (code)
+        return (code == KRB5_CC_NOTFOUND) ? 0 : code;
+
+    code = krb5int_copy_data_contents_add0(context, &data, &data0);
+    if (code)
+        goto cleanup;
+
+    code = krb5_parse_name(context, data0.data, impersonator_out);
+
+cleanup:
+    krb5_free_data_contents(context, &data);
+    krb5_free_data_contents(context, &data0);
+    return code;
+}
+
 /* Check ccache and scan it for its expiry time.  On success, cred takes
  * ownership of ccache. */
 static krb5_error_code
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
         goto cleanup;
     }
 
+    code = get_impersonator(context, ccache, &cred->impersonator);
+    if (code)
+        goto cleanup;
+
     (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
     cred->ccache = ccache;
 
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
 
     cred->usage = args->cred_usage;
     cred->name = NULL;
+    cred->impersonator = NULL;
     cred->iakerb_mech = args->iakerb;
     cred->default_identity = (name == NULL);
 #ifndef LEAN_CLIENT
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 016a2e6..6b7d530 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
     /* name/type of credential */
     gss_cred_usage_t usage;
     krb5_gss_name_t name;
-    unsigned int proxy_cred : 1;
+    krb5_principal impersonator;
     unsigned int default_identity : 1;
     unsigned int iakerb_mech : 1;
     unsigned int destroy_ccache : 1;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 1b8120c..d7b9ffa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
     krb5_error_code     code;
     krb5_creds          in_creds, evidence_creds, *result_creds = NULL;
     krb5_flags          flags = 0;
-    krb5_principal      cc_princ = NULL;
 
     *out_creds = NULL;
 
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
     assert(cred->name != NULL);
 
-    if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
-        goto cleanup;
-
     /*
      * Do constrained delegation if we have proxy credentials and
      * we're not trying to get a ticket to ourselves (in which case
      * we can just use the S4U2Self or evidence ticket directly).
      */
-    if (cred->proxy_cred &&
-        !krb5_principal_compare(context, cc_princ, server->princ)) {
+    if (cred->impersonator &&
+        !krb5_principal_compare(context, cred->impersonator, server->princ)) {
         krb5_creds mcreds;
 
         flags |= KRB5_GC_CANONICALIZE |
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
         memset(&mcreds, 0, sizeof(mcreds));
 
         mcreds.magic = KV5M_CREDS;
-        mcreds.times.endtime = cred->tgt_expire;
-        mcreds.server = cc_princ;
+        mcreds.server = cred->impersonator;
         mcreds.client = cred->name->princ;
 
         code = krb5_cc_retrieve_cred(context, cred->ccache,
-                                     KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
-                                     &mcreds,
+                                     KRB5_TC_MATCH_AUTHDATA, &mcreds,
                                      &evidence_creds);
         if (code)
             goto cleanup;
 
         assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
 
-        in_creds.client = cc_princ;
+        in_creds.client = cred->impersonator;
         in_creds.second_ticket = evidence_creds.ticket;
     } else {
         in_creds.client = cred->name->princ;
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
 cleanup:
     krb5_free_authdata(context, in_creds.authdata);
-    krb5_free_principal(context, cc_princ);
     krb5_free_cred_contents(context, &evidence_creds);
     krb5_free_creds(context, result_creds);
 
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 5b2ea2f..4fd3694 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
     if (cred->name)
         kg_release_name(context, &cred->name);
 
+    krb5_free_principal(context, cred->impersonator);
+
     if (cred->req_enctypes)
         free(cred->req_enctypes);
 
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4ac2ce3..4b37c5a 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
 
 }
 
+/*
+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
+ * creds, setting a cache config variable with the impersonator principal name,
+ * and saving the impersonator principal name in the cred structure.
+ */
+static krb5_error_code
+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
+                krb5_gss_cred_id_t impersonator_cred)
+{
+    krb5_error_code code;
+    krb5_data data;
+    char *str;
+
+    code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+                              cred->ccache);
+    if (code)
+        return code;
+
+    code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
+    if (code)
+        return code;
+
+    data = string2data(str);
+    code = krb5_cc_set_config(context, cred->ccache, NULL,
+                              KRB5_CONF_PROXY_IMPERSONATOR, &data);
+    krb5_free_unparsed_name(context, str);
+    if (code)
+        return code;
+
+    return krb5_copy_principal(context, impersonator_cred->name->princ,
+                               &cred->impersonator);
+}
+
 OM_uint32
 kg_compose_deleg_cred(OM_uint32 *minor_status,
                       krb5_gss_cred_id_t impersonator_cred,
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
 
     if (!kg_is_initiator_cred(impersonator_cred) ||
         impersonator_cred->name == NULL ||
-        impersonator_cred->proxy_cred) {
+        impersonator_cred->impersonator != NULL) {
         code = G_BAD_USAGE;
         goto cleanup;
     }
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
     if (code != 0)
         goto cleanup;
 
-    /*
-     * Only return a "proxy" credential for use with constrained
-     * delegation if the subject credentials are forwardable.
-     * Submitting non-forwardable credentials to the KDC for use
-     * with constrained delegation will only return an error.
-     */
     cred->usage = GSS_C_INITIATE;
-    cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
 
     cred->tgt_expire = subject_creds->times.endtime;
 
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
         goto cleanup;
     cred->destroy_ccache = 1;
 
-    code = krb5_cc_initialize(context, cred->ccache,
-                              cred->proxy_cred ? impersonator_cred->name->princ :
-                              subject_creds->client);
+    code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
     if (code != 0)
         goto cleanup;
 
-    if (cred->proxy_cred) {
-        /* Impersonator's TGT will be necessary for S4U2Proxy */
-        code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
-                                  cred->ccache);
+    /*
+     * Only return a "proxy" credential for use with constrained
+     * delegation if the subject credentials are forwardable.
+     * Submitting non-forwardable credentials to the KDC for use
+     * with constrained delegation will only return an error.
+     */
+    if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
+        code = make_proxy_cred(context, cred, impersonator_cred);
         if (code != 0)
             goto cleanup;
     }
diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
index bff3cde..d587589 100644
--- a/src/lib/gssapi/krb5/store_cred.c
+++ b/src/lib/gssapi/krb5/store_cred.c
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
 
     kcred = (krb5_gss_cred_id_t)input_cred_handle;
 
-    if (kcred->ccache == NULL || kcred->proxy_cred) {
+    if (kcred->ccache == NULL) {
         *minor_status = KG_CCACHE_NOMATCH;
         major_status = GSS_S_DEFECTIVE_CREDENTIAL;
         goto cleanup;
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index e87f249..46a9ae1 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
             *minor_status = code;
             return(GSS_S_DEFECTIVE_CREDENTIAL);
         }
-        if (!cred->proxy_cred &&
-            !krb5_principal_compare(context, princ, cred->name->princ)) {
+        if (!krb5_principal_compare(context, princ, cred->name->princ)) {
             k5_mutex_unlock(&cred->lock);
             *minor_status = KG_CCACHE_NOMATCH;
             return(GSS_S_DEFECTIVE_CREDENTIAL);
- pull in patch for RT#7046: tag a ccache containing credentials obtained via S4U2Proxy with the principal name of the proxying principal (part of #761317) 2011-12-13 15:47:31 +00:00			`commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4`
			`Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>`
			`Date: Wed Dec 7 19:38:13 2011 +0000`

			`ticket: 7046`
			`subject: Allow S4U2Proxy delegated credentials to be saved`

			`The initial implementation of client-side S4U2Proxy support did not`
			`allow delegated proxy credentials to be stored (gss_store_cred would`
			`error out, and gss_krb5_copy_ccache would generate a non-working`
			`cache). To make this work, we save the impersonator name in a cache`
			`config variable and in a cred structure field (replacing the`
			`proxy_cred flag), and make the default principal of the proxy cache`
			`the subject principal as the caller would expect for a regular`
			`delegated cred.`

			`git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970`

			`diff --git a/src/include/k5-int.h b/src/include/k5-int.h`
			`index 514e2ea..b25c159 100644`
			`--- a/src/include/k5-int.h`
			`+++ b/src/include/k5-int.h`
			`@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;`
			`#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"`
			`#define KRB5_CONF_V4_REALM "v4_realm"`
			`#define KRB5_CONF_ASTERISK "*"`
			`+`
			`+/* Cache configuration variables */`
			`#define KRB5_CONF_FAST_AVAIL "fast_avail"`
			`+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"`

			`/* Error codes used in KRB_ERROR protocol messages.`
			`Return values of library routines are based on a different error table`
			`diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c`
			`index c815b35..c08e059 100644`
			`--- a/src/lib/gssapi/krb5/acquire_cred.c`
			`+++ b/src/lib/gssapi/krb5/acquire_cred.c`
			`@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,`
			`return 0;`
			`}`

			`+/* If an impersonator config entry exists in ccache, set *impersonator_out to`
			`+ * the parsed principal. Otherwise set impersonator_out to NULL. /`
			`+static krb5_error_code`
			`+get_impersonator(krb5_context context, krb5_ccache ccache,`
			`+ krb5_principal *impersonator_out)`
			`+{`
			`+ krb5_error_code code;`
			`+ krb5_data data = empty_data(), data0 = empty_data();`
			`+`
			`+ *impersonator_out = NULL;`
			`+`
			`+ code = krb5_cc_get_config(context, ccache, NULL,`
			`+ KRB5_CONF_PROXY_IMPERSONATOR, &data);`
			`+ if (code)`
			`+ return (code == KRB5_CC_NOTFOUND) ? 0 : code;`
			`+`
			`+ code = krb5int_copy_data_contents_add0(context, &data, &data0);`
			`+ if (code)`
			`+ goto cleanup;`
			`+`
			`+ code = krb5_parse_name(context, data0.data, impersonator_out);`
			`+`
			`+cleanup:`
			`+ krb5_free_data_contents(context, &data);`
			`+ krb5_free_data_contents(context, &data0);`
			`+ return code;`
			`+}`
			`+`
			`/* Check ccache and scan it for its expiry time. On success, cred takes`
			`* ownership of ccache. */`
			`static krb5_error_code`
			`@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,`
			`goto cleanup;`
			`}`

			`+ code = get_impersonator(context, ccache, &cred->impersonator);`
			`+ if (code)`
			`+ goto cleanup;`
			`+`
			`(void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);`
			`cred->ccache = ccache;`

			`@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,`

			`cred->usage = args->cred_usage;`
			`cred->name = NULL;`
			`+ cred->impersonator = NULL;`
			`cred->iakerb_mech = args->iakerb;`
			`cred->default_identity = (name == NULL);`
			`#ifndef LEAN_CLIENT`
			`diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h`
			`index 016a2e6..6b7d530 100644`
			`--- a/src/lib/gssapi/krb5/gssapiP_krb5.h`
			`+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h`
			`@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {`
			`/* name/type of credential */`
			`gss_cred_usage_t usage;`
			`krb5_gss_name_t name;`
			`- unsigned int proxy_cred : 1;`
			`+ krb5_principal impersonator;`
			`unsigned int default_identity : 1;`
			`unsigned int iakerb_mech : 1;`
			`unsigned int destroy_ccache : 1;`
			`diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c`
			`index 1b8120c..d7b9ffa 100644`
			`--- a/src/lib/gssapi/krb5/init_sec_context.c`
			`+++ b/src/lib/gssapi/krb5/init_sec_context.c`
			`@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,`
			`krb5_error_code code;`
			`krb5_creds in_creds, evidence_creds, *result_creds = NULL;`
			`krb5_flags flags = 0;`
			`- krb5_principal cc_princ = NULL;`

			`*out_creds = NULL;`

			`@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,`

			`assert(cred->name != NULL);`

			`- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))`
			`- goto cleanup;`
			`-`
			`/*`
			`* Do constrained delegation if we have proxy credentials and`
			`* we're not trying to get a ticket to ourselves (in which case`
			`* we can just use the S4U2Self or evidence ticket directly).`
			`*/`
			`- if (cred->proxy_cred &&`
			`- !krb5_principal_compare(context, cc_princ, server->princ)) {`
			`+ if (cred->impersonator &&`
			`+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {`
			`krb5_creds mcreds;`

			`flags \|= KRB5_GC_CANONICALIZE \|`
			`@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,`
			`memset(&mcreds, 0, sizeof(mcreds));`

			`mcreds.magic = KV5M_CREDS;`
			`- mcreds.times.endtime = cred->tgt_expire;`
			`- mcreds.server = cc_princ;`
			`+ mcreds.server = cred->impersonator;`
			`mcreds.client = cred->name->princ;`

			`code = krb5_cc_retrieve_cred(context, cred->ccache,`
			`- KRB5_TC_MATCH_TIMES \| KRB5_TC_MATCH_AUTHDATA,`
			`- &mcreds,`
			`+ KRB5_TC_MATCH_AUTHDATA, &mcreds,`
			`&evidence_creds);`
			`if (code)`
			`goto cleanup;`

			`assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);`

			`- in_creds.client = cc_princ;`
			`+ in_creds.client = cred->impersonator;`
			`in_creds.second_ticket = evidence_creds.ticket;`
			`} else {`
			`in_creds.client = cred->name->princ;`
			`@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,`

			`cleanup:`
			`krb5_free_authdata(context, in_creds.authdata);`
			`- krb5_free_principal(context, cc_princ);`
			`krb5_free_cred_contents(context, &evidence_creds);`
			`krb5_free_creds(context, result_creds);`

			`diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c`
			`index 5b2ea2f..4fd3694 100644`
			`--- a/src/lib/gssapi/krb5/rel_cred.c`
			`+++ b/src/lib/gssapi/krb5/rel_cred.c`
			`@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)`
			`if (cred->name)`
			`kg_release_name(context, &cred->name);`

			`+ krb5_free_principal(context, cred->impersonator);`
			`+`
			`if (cred->req_enctypes)`
			`free(cred->req_enctypes);`

			`diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c`
			`index 4ac2ce3..4b37c5a 100644`
			`--- a/src/lib/gssapi/krb5/s4u_gss_glue.c`
			`+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c`
			`@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,`

			`}`

			`+/*`
			`+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's`
			`+ * creds, setting a cache config variable with the impersonator principal name,`
			`+ * and saving the impersonator principal name in the cred structure.`
			`+ */`
			`+static krb5_error_code`
			`+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,`
			`+ krb5_gss_cred_id_t impersonator_cred)`
			`+{`
			`+ krb5_error_code code;`
			`+ krb5_data data;`
			`+ char *str;`
			`+`
			`+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,`
			`+ cred->ccache);`
			`+ if (code)`
			`+ return code;`
			`+`
			`+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);`
			`+ if (code)`
			`+ return code;`
			`+`
			`+ data = string2data(str);`
			`+ code = krb5_cc_set_config(context, cred->ccache, NULL,`
			`+ KRB5_CONF_PROXY_IMPERSONATOR, &data);`
			`+ krb5_free_unparsed_name(context, str);`
			`+ if (code)`
			`+ return code;`
			`+`
			`+ return krb5_copy_principal(context, impersonator_cred->name->princ,`
			`+ &cred->impersonator);`
			`+}`
			`+`
			`OM_uint32`
			`kg_compose_deleg_cred(OM_uint32 *minor_status,`
			`krb5_gss_cred_id_t impersonator_cred,`
			`@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,`

			`if (!kg_is_initiator_cred(impersonator_cred) \|\|`
			`impersonator_cred->name == NULL \|\|`
			`- impersonator_cred->proxy_cred) {`
			`+ impersonator_cred->impersonator != NULL) {`
			`code = G_BAD_USAGE;`
			`goto cleanup;`
			`}`
			`@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,`
			`if (code != 0)`
			`goto cleanup;`

			`- /*`
			`- * Only return a "proxy" credential for use with constrained`
			`- * delegation if the subject credentials are forwardable.`
			`- * Submitting non-forwardable credentials to the KDC for use`
			`- * with constrained delegation will only return an error.`
			`- */`
			`cred->usage = GSS_C_INITIATE;`
			`- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);`

			`cred->tgt_expire = subject_creds->times.endtime;`

			`@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,`
			`goto cleanup;`
			`cred->destroy_ccache = 1;`

			`- code = krb5_cc_initialize(context, cred->ccache,`
			`- cred->proxy_cred ? impersonator_cred->name->princ :`
			`- subject_creds->client);`
			`+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);`
			`if (code != 0)`
			`goto cleanup;`

			`- if (cred->proxy_cred) {`
			`- /* Impersonator's TGT will be necessary for S4U2Proxy */`
			`- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,`
			`- cred->ccache);`
			`+ /*`
			`+ * Only return a "proxy" credential for use with constrained`
			`+ * delegation if the subject credentials are forwardable.`
			`+ * Submitting non-forwardable credentials to the KDC for use`
			`+ * with constrained delegation will only return an error.`
			`+ */`
			`+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {`
			`+ code = make_proxy_cred(context, cred, impersonator_cred);`
			`if (code != 0)`
			`goto cleanup;`
			`}`
			`diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c`
			`index bff3cde..d587589 100644`
			`--- a/src/lib/gssapi/krb5/store_cred.c`
			`+++ b/src/lib/gssapi/krb5/store_cred.c`
			`@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,`

			`kcred = (krb5_gss_cred_id_t)input_cred_handle;`

			`- if (kcred->ccache == NULL \|\| kcred->proxy_cred) {`
			`+ if (kcred->ccache == NULL) {`
			`*minor_status = KG_CCACHE_NOMATCH;`
			`major_status = GSS_S_DEFECTIVE_CREDENTIAL;`
			`goto cleanup;`
			`diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c`
			`index e87f249..46a9ae1 100644`
			`--- a/src/lib/gssapi/krb5/val_cred.c`
			`+++ b/src/lib/gssapi/krb5/val_cred.c`
			`@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,`
			`*minor_status = code;`
			`return(GSS_S_DEFECTIVE_CREDENTIAL);`
			`}`
			`- if (!cred->proxy_cred &&`
			`- !krb5_principal_compare(context, princ, cred->name->princ)) {`
			`+ if (!krb5_principal_compare(context, princ, cred->name->princ)) {`
			`k5_mutex_unlock(&cred->lock);`
			`*minor_status = KG_CCACHE_NOMATCH;`
			`return(GSS_S_DEFECTIVE_CREDENTIAL);`