hdb: Support referrals via aliases

The TGS will issue referrals based on [domain_realm] mappings. With this change the TGS will also issue referrals based on HDB entry aliases. The TGS needed no changes for this, only support in lib/hdb was missing. All we had to do was return HDB_ERR_WRONG_REALM from hdb_fetch_kvno() when the given principal is an alias and its canonical name's realm is different from the alias'. This feature is important because the KDC currently does not re-read krb5.conf and must be restarted for changes to e.g., [domain_realm] mappings to take effect. As well, making krb5.conf changes to all the KDCs for a realm would need to be arranged. But with aliases in the HDB, these problems go away. Relatedly, we should really have an option to store the KDC's entire configuration in the HDB... Futures: - Add support for aliasing of entire namespaces via HDB aliases with WELLKNOWN namespace name forms. This will round out domain-to-realm mapping configuration support via HDB.
2021-10-06 22:06:46 -05:00
parent a703bd1212
commit decd8f4102
1 changed files with 3 additions and 0 deletions
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -1476,6 +1476,9 @@ hdb_fetch_kvno(krb5_context context,
    ret = fetch_it(context, db, principal, flags, t, etype, kvno, h);
    if (ret == HDB_ERR_NOENTRY)
 	krb5_set_error_message(context, ret, "no such entry found in hdb");
+    if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) &&
+        !krb5_realm_compare(context, principal, h->entry.principal))
+            ret = HDB_ERR_WRONG_REALM;
    return ret;
 }