summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/heimdal/kdc/krb5tgs.c61
1 files changed, 30 insertions, 31 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 9131e5baf0..26e3936fe7 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1637,37 +1637,6 @@ server_lookup:
goto out;
}
- ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
- NULL, &clientdb, &client);
- if(ret == HDB_ERR_NOT_FOUND_HERE) {
- kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp);
- goto out;
- } else if(ret){
- const char *krbtgt_realm, *msg;
-
- /*
- * If the client belongs to the same realm as our krbtgt, it
- * should exist in the local database.
- *
- */
-
- krbtgt_realm =
- krb5_principal_get_comp_string(context,
- krbtgt->entry.principal, 1);
-
- if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- kdc_log(context, config, 1, "Client no longer in database: %s",
- cpn);
- goto out;
- }
-
- msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 1, "Client not found in database: %s", msg);
- krb5_free_error_message(context, msg);
- }
-
/*
* Select enctype, return key and kvno.
*/
@@ -1788,6 +1757,36 @@ server_lookup:
goto out;
}
+ ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+ NULL, &clientdb, &client);
+ if(ret == HDB_ERR_NOT_FOUND_HERE) {
+ /* This is OK, we are just trying to find out if they have
+ * been disabled or deleted in the meantime, missing secrets
+ * is OK */
+ } else if(ret){
+ const char *krbtgt_realm, *msg;
+
+ /*
+ * If the client belongs to the same realm as our krbtgt, it
+ * should exist in the local database.
+ *
+ */
+
+ krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
+
+ if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
+ if (ret == HDB_ERR_NOENTRY)
+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ kdc_log(context, config, 1, "Client no longer in database: %s",
+ cpn);
+ goto out;
+ }
+
+ msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 1, "Client not found in database: %s", msg);
+ krb5_free_error_message(context, msg);
+ }
+
ret = check_PAC(context, config, cp,
client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
tgt, &rspac, &signedpath);