if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
goto out;
+ } else if (ret == HDB_ERR_WRONG_REALM) {
+ char *fixed_client_name = NULL;
+
+ ret = krb5_unparse_name(context, client->entry.principal,
+ &fixed_client_name);
+ if (ret) {
+ goto out;
+ }
+
+ kdc_log(context, config, 0, "WRONG_REALM - %s -> %s",
+ client_name, fixed_client_name);
+ free(fixed_client_name);
+
+ ret = krb5_mk_error_ext(context,
+ KRB5_KDC_ERR_WRONG_REALM,
+ NULL, /* e_text */
+ NULL, /* e_data */
+ server_princ,
+ NULL, /* client_name */
+ &client->entry.principal->realm,
+ NULL, /* client_time */
+ NULL, /* client_usec */
+ reply);
+ goto out;
} else if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
out:
free_AS_REP(&rep);
- if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){
+ if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
krb5_mk_error(context,
ret,
e_text,
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
goto out;
+ } else if (ret == HDB_ERR_WRONG_REALM) {
+ if (ref_realm)
+ free(ref_realm);
+ ref_realm = strdup(server->entry.principal->realm);
+ if (ref_realm == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ kdc_log(context, config, 5,
+ "Returning a referral to realm %s for "
+ "server %s.",
+ ref_realm, spn);
+ krb5_free_principal(context, sp);
+ sp = NULL;
+ free(spn);
+ spn = NULL;
+ ret = krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
+ ref_realm, NULL);
+ if (ret)
+ goto out;
+ ret = krb5_unparse_name(context, sp, &spn);
+ if (ret)
+ goto out;
+
+ goto server_lookup;
} else if(ret){
const char *new_rlm, *msg;
Realm req_rlm;
config->db[i]->hdb_close(context, config->db[i]);
switch (ret) {
+ case HDB_ERR_WRONG_REALM:
+ /*
+ * the ent->entry.principal just contains hints for the client
+ * to retry. This is important for enterprise principal routing
+ * between trusts.
+ */
+ /* fall through */
case 0:
if (db)
*db = config->db[i];
error_code NO_WRITE_SUPPORT, "HDB backend doesn't contain write support"
error_code NOT_FOUND_HERE, "The secret for this entry is not replicated to this database"
error_code MISUSE, "Incorrect use of the API"
+error_code WRONG_REALM, "The principal exists in another realm."
end