summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-12 12:32:50 +1100
committerAndrew Tridgell <tridge@samba.org>2010-11-12 18:18:55 +1100
commite7fb5a6c9142d4dcffd4a331d3aa78ac543db34a (patch)
tree84d7d5c15f82a65f638b7a85b3fb4a6ad54f9a3b
parentaa1c32ccb08965ff2044b82cbf624404f7fd377b (diff)
downloadsamba-e7fb5a6c9142d4dcffd4a331d3aa78ac543db34a.tar.gz
samba-e7fb5a6c9142d4dcffd4a331d3aa78ac543db34a.tar.bz2
samba-e7fb5a6c9142d4dcffd4a331d3aa78ac543db34a.zip
s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODC
This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett
-rw-r--r--source4/kdc/db-glue.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e9ae5b3486..eaa97e3a1d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -192,6 +192,7 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
}
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
uint32_t rid,
@@ -376,6 +377,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
if (allocated_keys == 0) {
+ if (kdc_db_ctx->rodc) {
+ /* We are on an RODC, but don't have keys for this account. Signal this to the caller */
+ return HDB_ERR_NOT_FOUND_HERE;
+ }
+
/* oh, no password. Apparently (comment in
* hdb-ldap.c) this violates the ASN.1, but this
* allows an entry with no keys (yet). */
@@ -768,7 +774,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.generation = NULL;
/* Get keys from the db */
- ret = samba_kdc_message2entry_keys(context, p, msg,
+ ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl,
ent_type, entry_ex);
if (ret) {