freeipa: delegation rules allow a proxy service to impersonate any user to access another target service
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the checkallowedtodelegate function: If the target service...