From 61f1be93e32e972a8cd925fdc54941750a9955df Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Sep 2018 16:36:18 -0700
Subject: [PATCH] kdc: Provide flag to hint to KDC that this is a FAST key
 lookup

For Samba the fast key is not stored in the replicated DB, so
this helps Samba find it in the Samba hdb module.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 kdc/fast.c    | 2 +-
 lib/hdb/hdb.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/kdc/fast.c b/kdc/fast.c
index 238ac8dd5..aacd7b743 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -53,7 +53,7 @@ get_fastuser_crypto(astgs_request_t r, krb5_enctype enctype,
 	goto out;
 
     ret = _kdc_db_fetch(r->context, r->config, fast_princ,
-			HDB_F_GET_CLIENT, NULL, NULL, &fast_user);
+			HDB_F_GET_FAST_COOKIE, NULL, NULL, &fast_user);
     krb5_free_principal(r->context, fast_princ);
     if (ret)
 	goto out;
diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index bc2a3bdc5..808c4582a 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -71,6 +71,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_PRECHECK		16384	/* check that the operation would succeed */
 #define HDB_F_DELAY_NEW_KEYS	32768	/* apply [hdb] new_service_key_delay */
 #define HDB_F_SYNTHETIC_OK	65536	/* synthetic principal for PKINIT OK */
+#define HDB_F_GET_FAST_COOKIE  131072	/* fetch the FX-COOKIE key (not a normal principal) */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1