From 76ee5cb311b2bd8c24a5b51e1ef7aaa4ffb2e81f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 27 Apr 2006 12:01:09 +0000
Subject: [PATCH] (tgs_rep2): check that the client exists in the kerberos
 database if its local request.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17317 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e32330fc8..dac57c0ba 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2391,20 +2391,24 @@ tgs_rep2(krb5_context context,
 	if(ret)
 	    kdc_log(context, config, 1, "Client not found in database: %s: %s",
 		    cpn, krb5_get_err_text(context, ret));
-#if 0
-	/* XXX check client only if same realm as krbtgt-instance */
-	if(ret){
-	    kdc_log(context, config, 0,
-		    "Client not found in database: %s: %s",
-		    cpn, krb5_get_err_text(context, ret));
-	    if (ret == HDB_ERR_NOENTRY)
-		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-	    goto out;
-	}
-#endif
+
+	/*
+	 * If the client belongs to the same realm as our krbtgt, it
+	 * should exist in the local database.
+	 *
+	 * If its not the same, check the "direction" on the krbtgt,
+	 * so its not a backward uni-directional trust.
+	 */
 
 	if(strcmp(krb5_principal_get_realm(context, sp),
-		  krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) {
+		  krb5_principal_get_comp_string(context, 
+						 krbtgt->entry.principal, 1)) == 0) {
+	    if(ret) {
+		if (ret == HDB_ERR_NOENTRY)
+		    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+		goto out;
+	    }
+	} else {
 	    char *tpn;
 	    ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
 	    kdc_log(context, config, 0,