CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag

Signed-off-by: Isaac Boukris <iboukris@samba.org>

source4/kdc/mit_samba.c

@@ -304,6 +304,11 @@ fetch_referral_principal:
 
 	sdb_free_entry(&sentry);
 
+	if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
+		kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+		kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+	}
+
 done:
 	krb5_free_principal(ctx->context, referral_principal);
 	referral_principal = NULL;

source4/kdc/sdb_to_kdb.c

@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s,
 	if (s->initial) {
 		*k |= KRB5_KDB_DISALLOW_TGT_BASED;
 	}
-	/*
-	 * Do not set any disallow rules for forwardable, proxiable,
-	 * renewable, postdate and server.
-	 *
-	 * The KDC will take care setting the flags based on the incoming
-	 * ticket.
-	 */
-	if (s->forwardable) {
-		;
+	/* The forwardable and proxiable flags are set according to client and
+	 * server attributes. */
+	if (!s->forwardable) {
+		*k |= KRB5_KDB_DISALLOW_FORWARDABLE;
 	}
-	if (s->proxiable) {
-		;
+	if (!s->proxiable) {
+		*k |= KRB5_KDB_DISALLOW_PROXIABLE;
 	}
 	if (s->renewable) {
 		;