From 2c265a81823e9e4e02906c85b2464837e5dba283 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Wed, 4 Dec 2013 16:35:26 -0600
Subject: [PATCH] Add option to require initial kca_service tickets

Default to TRUE, and allow setting it on a per-realm basis.
---
 kdc/kx509.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kdc/kx509.c b/kdc/kx509.c
index 274c1df50..a943699fb 100644
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -342,6 +342,7 @@ _kdc_do_kx509(krb5_context context,
     Kx509Response rep;
     size_t size;
     krb5_keyblock *key = NULL;
+    krb5_boolean def_bool;
 
     krb5_data_zero(reply);
     memset(&rep, 0, sizeof(rep));
@@ -374,6 +375,18 @@ _kdc_do_kx509(krb5_context context,
     if (ret)
 	goto out;
 
+    def_bool = krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
+                                            "require_initial_kca_tickets",
+                                            NULL);
+    if (!ticket->ticket.flags.initial &&
+        krb5_config_get_bool_default(context, NULL, def_bool, "kdc",
+                                      krb5_principal_get_realm(context,
+                                                               cprincipal),
+                                      "require_initial_kca_tickets", NULL)) {
+        ret = KRB5KDC_ERR_POLICY;
+        goto out;
+    }
+
     ret = krb5_unparse_name(context, cprincipal, &cname);
     if (ret)
 	goto out;
-- 
2.11.4.GIT