heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller

This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.

Andrew Bartlett

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 40e597befb51d910ee028058ec677e28451c70be..394f4dec67b86994237fce110302d688751fe5d5 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -990,7 +990,10 @@ _kdc_as_rep(krb5_context context,
     ret = _kdc_db_fetch(context, config, client_princ,
                        HDB_F_GET_CLIENT | flags, NULL,
                        &clientdb, &client);
-    if(ret){
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+       kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
+       goto out;
+    } else if(ret){
        const char *msg = krb5_get_error_message(context, ret);
        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
        krb5_free_error_message(context, msg);
@@ -1001,7 +1004,10 @@ _kdc_as_rep(krb5_context context,
     ret = _kdc_db_fetch(context, config, server_princ,
                        HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
                        NULL, NULL, &server);
-    if(ret){
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+       kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);
+       goto out;
+    } else if(ret){
        const char *msg = krb5_get_error_message(context, ret);
        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
        krb5_free_error_message(context, msg);
@@ -1778,7 +1784,7 @@ _kdc_as_rep(krb5_context context,
 
 out:
     free_AS_REP(&rep);
-    if(ret){
+    if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){
        krb5_mk_error(context,
                      ret,
                      e_text,

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 71d99e2bee0dd0afdcfaa9d74bdf46b5ea2fe7d9..60fb4dc2cd6cb5fd5ca7b90c469f2755308c5ce1 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1170,7 +1170,17 @@ tgs_parse_request(krb5_context context,
 
     ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
 
-    if(ret) {
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+       char *p;
+       ret = krb5_unparse_name(context, princ, &p);
+       if (ret != 0)
+           p = "<unparse_name failed>";
+       krb5_free_principal(context, princ);
+       kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
+       if (ret == 0)
+           free(p);
+       goto out;
+    } else if(ret){
        const char *msg = krb5_get_error_message(context, ret);
        char *p;
        ret = krb5_unparse_name(context, princ, &p);
@@ -1565,7 +1575,10 @@ server_lookup:
     ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
                        NULL, NULL, &server);
 
-    if(ret){
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+       kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
+       goto out;
+    } else if(ret){
        const char *new_rlm, *msg;
        Realm req_rlm;
        krb5_realm *realms;
@@ -1625,7 +1638,10 @@ server_lookup:
 
     ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
                        NULL, &clientdb, &client);
-    if(ret) {
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+       kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp);
+       goto out;
+    } else if(ret){
        const char *krbtgt_realm, *msg;
 
        /*
@@ -2230,7 +2246,7 @@ _kdc_tgs_rep(krb5_context context,
 out:
     if (replykey)
        krb5_free_keyblock(context, replykey);
-    if(ret && data->data == NULL){
+    if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
        krb5_mk_error(context,
                      ret,
                      NULL,
@@ -2240,6 +2256,7 @@ out:
                      csec,
                      cusec,
                      data);
+       ret = 0;
     }
     free(csec);
     free(cusec);
@@ -2253,5 +2270,5 @@ out:
        free(auth_data);
     }
 
-    return 0;
+    return ret;
 }

diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 9feb99cdbc0967818edecace6ff2e182f82ad8cc..2e95ad2832ba6723a230212e701785bc95422d5a 100644 (file)
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -45,7 +45,7 @@ _kdc_db_fetch(krb5_context context,
              hdb_entry_ex **h)
 {
     hdb_entry_ex *ent;
-    krb5_error_code ret;
+    krb5_error_code ret = HDB_ERR_NOENTRY;
     int i;
     unsigned kvno = 0;
 
@@ -118,9 +118,9 @@ _kdc_db_fetch(krb5_context context,
        }
     }
     free(ent);
-    krb5_set_error_message(context, HDB_ERR_NOENTRY,
+    krb5_set_error_message(context, ret,
                           "no such entry found in hdb");
-    return HDB_ERR_NOENTRY;
+    return ret;
 }
 
 void