heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten

This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 869c6766d04831ad358dacc3e7d1a62271b91a81..4ef5439cf145b567e82185a033c9f4b92ac4ffd9 100644 (file)
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -98,18 +98,33 @@ _kdc_db_fetch(krb5_context context,
                                            ent);
        config->db[i]->hdb_close(context, config->db[i]);
 
-       if (ret == 0) {
+       switch (ret) {
+       case 0:
            if (db)
                *db = config->db[i];
            *h = ent;
             ent = NULL;
             goto out;
+
+       case HDB_ERR_NOENTRY:
+           /* Check the other databases */
+           continue;
+
+       default:
+           /* 
+            * This is really important, because errors like
+            * HDB_ERR_NOT_FOUND_HERE (used to indicate to Samba that
+            * the RODC on which this code is running does not have
+            * the key we need, and so a proxy to the KDC is required)
+            * have specific meaning, and need to be propogated up.
+            */
+           goto out;
        }
     }
 
-    ret = HDB_ERR_NOENTRY;
-    krb5_set_error_message(context, ret, "no such entry found in hdb");
-
+    if (ret == HDB_ERR_NOENTRY) {
+       krb5_set_error_message(context, ret, "no such entry found in hdb");
+    }
 out:
     krb5_free_principal(context, enterprise_principal);
     free(ent);