Added a flag to ensure that we don't mod/store hdb entries fetched with specified kvno.

lib/hdb/common.c

@@ -312,6 +312,8 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
     krb5_data key, value;
     int code;
 
+    if (entry->entry.flags.do_not_store)
+	return HDB_ERR_MISUSE;
     /* check if new aliases already is used */
     code = hdb_check_aliases(context, db, entry);
     if (code)

lib/hdb/hdb.asn1

@@ -46,8 +46,9 @@ HDBFlags ::= BIT STRING {
 	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
 	allow-kerberos4(15),		-- Allow Kerberos 4 requests
 	allow-digest(16),		-- Allow digest requests
-	locked-out(17)			-- Account is locked out,
+	locked-out(17),			-- Account is locked out,
 					-- authentication will be denied
+	do-not-store(31)		-- Not to be modified and stored in HDB
 }
 
 GENERATION ::= SEQUENCE {

lib/hdb/hdb_err.et

@@ -26,5 +26,6 @@ error_code NO_MKEY,		"No correct master key"
 error_code MANDATORY_OPTION,	"Entry contains unknown mandatory extension"
 error_code NO_WRITE_SUPPORT,	"HDB backend doesn't contain write support"
 error_code NOT_FOUND_HERE,	"The secret for this entry is not replicated to this database"
+error_code MISUSE,		"Incorrect use of the API"
 
 end

lib/hdb/mkey.c

@@ -554,6 +554,7 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
 	ent->keys.len = hist_keys->val[i].keys.len;
 	ent->keys.val = hist_keys->val[i].keys.val;
 	ent->kvno = kvno;
+	ent->flags.do_not_store = 1;
     }
 
     return (ret);