s4:mitkdc: Always set SDB_F_FOR_{TGS,AS}_REQ flag for DAL >= 9

The KRB5_KDB_FLAG_REFERRAL_OK is to indicate wether a realm referral is
allowed. In AD this is always allowed. Also there is no way to pass that
indication to the SamDB layer.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Mon Jul  4 12:22:16 UTC 2022 on sn-devel-184

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index c264191bf6b862ff4ba9e6d1a26d951a5caa9be7..e316c57ee31b944bb9fbbeb58b07e554bcd6e7d8 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -234,10 +234,7 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
 
        if (kflags & KRB5_KDB_FLAG_CLIENT) {
                sflags |= SDB_F_GET_CLIENT;
-
-               if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
-                       sflags |= SDB_F_FOR_AS_REQ;
-               }
+               sflags |= SDB_F_FOR_AS_REQ;
        } else {
                int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
                if (equal == -1) {
@@ -248,10 +245,7 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
                        sflags |= SDB_F_GET_KRBTGT;
                } else {
                        sflags |= SDB_F_GET_SERVER;
-
-                       if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
-                               sflags |= SDB_F_FOR_TGS_REQ;
-                       }
+                       sflags |= SDB_F_FOR_TGS_REQ;
                }
        }
 #else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */