oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten

Browse Source 
This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett
2015-01-21 11:45:45 +13:00
committed by Nicolas Williams
parent 0f19fdec83
commit c450abd01a
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
kdc/misc.c
View File

@@ -100,18 +100,33 @@ _kdc_db_fetch(krb5_context context,
ent); ent);
config->db[i]->hdb_close(context, config->db[i]); config->db[i]->hdb_close(context, config->db[i]);
if (ret == 0) { switch (ret) {
case 0:
if (db) if (db)
*db = config->db[i]; *db = config->db[i];
*h = ent; *h = ent;
ent = NULL; ent = NULL;
goto out; goto out;
case HDB_ERR_NOENTRY:
/* Check the other databases */
continue;
default:
/*
* This is really important, because errors like
* HDB_ERR_NOT_FOUND_HERE (used to indicate to Samba that
* the RODC on which this code is running does not have
* the key we need, and so a proxy to the KDC is required)
* have specific meaning, and need to be propogated up.
*/
goto out;
} }
} }
ret = HDB_ERR_NOENTRY; if (ret == HDB_ERR_NOENTRY) {
krb5_set_error_message(context, ret, "no such entry found in hdb"); krb5_set_error_message(context, ret, "no such entry found in hdb");
}
out: out:
krb5_free_principal(context, enterprise_principal); krb5_free_principal(context, enterprise_principal);
free(ent); free(ent);