From e030c0d5e150b09b66faebb0f058fc6f20a13a5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 1 Jun 2006 17:43:03 +0000
Subject: [PATCH] Split up the reverse cross krbtgt check and local clien must
 exists test.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17603 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/krb5tgs.c | 45 +++++++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 16 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 72f057690..5c60c5425 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -959,27 +959,40 @@ server_lookup:
     }
 
     ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client);
-    if(ret)
-	kdc_log(context, config, 1, "Client not found in database: %s: %s",
-		cpn, krb5_get_err_text(context, ret));
+    if(ret) {
+	const char *krbtgt_realm; 
 
-    /*
-     * If the client belongs to the same realm as our krbtgt, it
-     * should exist in the local database.
-     *
-     * If its not the same, check the "direction" on the krbtgt,
-     * so its not a backward uni-directional trust.
-     */
+	/*
+	 * If the client belongs to the same realm as our krbtgt, it
+	 * should exist in the local database.
+	 *
+	 */
 
-    if(strcmp(krb5_principal_get_realm(context, sp),
-	      krb5_principal_get_comp_string(context, 
-					     krbtgt->entry.principal, 1)) == 0) {
-	if(ret) {
+	krbtgt_realm = krb5_principal_get_realm(context,
+						krbtgt->entry.principal);
+
+	if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
 	    if (ret == HDB_ERR_NOENTRY)
 		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    kdc_log(context, config, 1, "Client no longer in database: %s",
+		    cpn);
 	    goto out;
 	}
-    } else {
+	
+	kdc_log(context, config, 1, "Client not found in database: %s: %s",
+		cpn, krb5_get_err_text(context, ret));
+    }
+    
+    /*
+     * Check that service is in the same realm as the krbtgt. If its
+     * not the same, its someone that is using a uni-directional trust
+     * backward.
+     */
+    
+    if (strcmp(krb5_principal_get_realm(context, sp),
+	       krb5_principal_get_comp_string(context, 
+					      krbtgt->entry.principal, 
+					      1)) != 0) {
 	char *tpn;
 	ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
 	kdc_log(context, config, 0,
@@ -1111,7 +1124,7 @@ _kdc_tgs_rep(krb5_context context,
 			  from_addr);
     if (ret) {
 	kdc_log(context, config, 0, 
-		"Failed building TGS-REP to from %s", from);
+		"Failed building TGS-REP to %s", from);
 	goto out;
     }