kdc: add support for HDB_ERR_WRONG_REALM

A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2015-02-10 14:37:29 +01:00
parent 81f9ed4a6c
commit 078e6f5dd2
4 changed files with 60 additions and 1 deletions
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -101,6 +101,13 @@ _kdc_db_fetch(krb5_context context,
 	config->db[i]->hdb_close(context, config->db[i]);

 	switch (ret) {
+	case HDB_ERR_WRONG_REALM:
+	    /*
+	     * the ent->entry.principal just contains hints for the client
+	     * to retry. This is important for enterprise principal routing
+	     * between trusts.
+	     */
+	    /* fall through */
 	case 0:
 	    if (db)
 		*db = config->db[i];