From d6f9cec30f5316bb4fe87f6e9f3006d24464ce2a Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 14 Dec 2021 18:00:05 +1100
Subject: [PATCH] hdb: do not return HDB_ERR_WRONG_REALM if force_canon set

In hdb_fetch_kvno(), do not return HDB_ERR_WRONG_REALM if the backend set the
force_canonicalize flag

Closes: #886
---
 lib/hdb/common.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index 5100fdb7c..1b001d10a 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -1478,7 +1478,14 @@ hdb_fetch_kvno(krb5_context context,
     ret = fetch_it(context, db, principal, flags, t, etype, kvno, h);
     if (ret == HDB_ERR_NOENTRY)
 	krb5_set_error_message(context, ret, "no such entry found in hdb");
+
+    /*
+     * This check is to support aliases in HDB; the force_canonicalize
+     * check is to allow HDB backends to support realm name canon
+     * independently of principal aliases (used by Samba).
+     */
     if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) &&
+        !h->entry.flags.force_canonicalize &&
         !krb5_realm_compare(context, principal, h->entry.principal))
             ret = HDB_ERR_WRONG_REALM;
     return ret;