From aa1c32ccb08965ff2044b82cbf624404f7fd377b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Nov 2010 12:31:33 +1100 Subject: heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett --- source4/heimdal/kdc/kerberos5.c | 12 +++++++++--- source4/heimdal/kdc/krb5tgs.c | 27 ++++++++++++++++++++++----- source4/heimdal/kdc/misc.c | 6 +++--- 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 40e597befb..394f4dec67 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -990,7 +990,10 @@ _kdc_as_rep(krb5_context context, ret = _kdc_db_fetch(context, config, client_princ, HDB_F_GET_CLIENT | flags, NULL, &clientdb, &client); - if(ret){ + if(ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name); + goto out; + } else if(ret){ const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg); krb5_free_error_message(context, msg); @@ -1001,7 +1004,10 @@ _kdc_as_rep(krb5_context context, ret = _kdc_db_fetch(context, config, server_princ, HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, NULL, NULL, &server); - if(ret){ + if(ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name); + goto out; + } else if(ret){ const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg); krb5_free_error_message(context, msg); @@ -1778,7 +1784,7 @@ _kdc_as_rep(krb5_context context, out: free_AS_REP(&rep); - if(ret){ + if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){ krb5_mk_error(context, ret, e_text, diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 71d99e2bee..60fb4dc2cd 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1170,7 +1170,17 @@ tgs_parse_request(krb5_context context, ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt); - if(ret) { + if(ret == HDB_ERR_NOT_FOUND_HERE) { + char *p; + ret = krb5_unparse_name(context, princ, &p); + if (ret != 0) + p = ""; + krb5_free_principal(context, princ); + kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p); + if (ret == 0) + free(p); + goto out; + } else if(ret){ const char *msg = krb5_get_error_message(context, ret); char *p; ret = krb5_unparse_name(context, princ, &p); @@ -1565,7 +1575,10 @@ server_lookup: ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON, NULL, NULL, &server); - if(ret){ + if(ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp); + goto out; + } else if(ret){ const char *new_rlm, *msg; Realm req_rlm; krb5_realm *realms; @@ -1625,7 +1638,10 @@ server_lookup: ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, NULL, &clientdb, &client); - if(ret) { + if(ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp); + goto out; + } else if(ret){ const char *krbtgt_realm, *msg; /* @@ -2230,7 +2246,7 @@ _kdc_tgs_rep(krb5_context context, out: if (replykey) krb5_free_keyblock(context, replykey); - if(ret && data->data == NULL){ + if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ krb5_mk_error(context, ret, NULL, @@ -2240,6 +2256,7 @@ out: csec, cusec, data); + ret = 0; } free(csec); free(cusec); @@ -2253,5 +2270,5 @@ out: free(auth_data); } - return 0; + return ret; } diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 9feb99cdbc..2e95ad2832 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -45,7 +45,7 @@ _kdc_db_fetch(krb5_context context, hdb_entry_ex **h) { hdb_entry_ex *ent; - krb5_error_code ret; + krb5_error_code ret = HDB_ERR_NOENTRY; int i; unsigned kvno = 0; @@ -118,9 +118,9 @@ _kdc_db_fetch(krb5_context context, } } free(ent); - krb5_set_error_message(context, HDB_ERR_NOENTRY, + krb5_set_error_message(context, ret, "no such entry found in hdb"); - return HDB_ERR_NOENTRY; + return ret; } void -- cgit