heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as well

This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.

Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 394f4dec67b86994237fce110302d688751fe5d5..a437b9dbd91e18d60dee1ba8d8f4be6bba8b5cec 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1000,9 +1000,8 @@ _kdc_as_rep(krb5_context context,
        ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
        goto out;
     }
-
     ret = _kdc_db_fetch(context, config, server_princ,
-                       HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+                       HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
                        NULL, NULL, &server);
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
        kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);