HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE

On an RODC we need to redirect failing preauthentication to an RWDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c1d4cb1d4aa130065ed6f491ea741fee32caf68f..9684364c519a1465ff746f75288d9987919c14a5 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context,
 
                free_EncryptedData(&enc_data);
 
-               if (clientdb->hdb_auth_status)
-                   (clientdb->hdb_auth_status)(context, clientdb, client,
+               if (clientdb->hdb_auth_status) {
+                   ret = (clientdb->hdb_auth_status)(context, clientdb, client,
                                                from_addr,
                                                &_kdc_now,
                                                client_name,
                                                str ? str : "unknown enctype",
                                                HDB_AUTH_WRONG_PASSWORD);
+                   if (ret == HDB_ERR_NOT_FOUND_HERE) {
+                       kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name);
+                       free(str);
+                       goto out;
+                   }
+               }
 
                free(str);