s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODC

This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.

(The proxy code itself is not in this commit).

Andrew Bartlett

1 files changed, 7 insertions, 1 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e9ae5b3486..eaa97e3a1d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -192,6 +192,7 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
 }
 
 static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
+						    struct samba_kdc_db_context *kdc_db_ctx,
 						    TALLOC_CTX *mem_ctx,
 						    struct ldb_message *msg,
 						    uint32_t rid,
@@ -376,6 +377,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	}
 
 	if (allocated_keys == 0) {
+		if (kdc_db_ctx->rodc) {
+			/* We are on an RODC, but don't have keys for this account.  Signal this to the caller */
+			return HDB_ERR_NOT_FOUND_HERE;
+		}
+
 		/* oh, no password.  Apparently (comment in
 		 * hdb-ldap.c) this violates the ASN.1, but this
 		 * allows an entry with no keys (yet). */
@@ -768,7 +774,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	entry_ex->entry.generation = NULL;
 
 	/* Get keys from the db */
-	ret = samba_kdc_message2entry_keys(context, p, msg, 
+	ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
 					   rid, is_rodc, userAccountControl,
 					   ent_type, entry_ex);
 	if (ret) {