diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-02-18 17:17:02 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-03-18 10:39:16 +0000 |
commit | 68f55294eb0c37da3c4e3f76d5c3154e762d46ad (patch) | |
tree | 155d2f315543f1cf819932217fda138e440f7246 | |
parent | 3ae7ead5fd53e5ca590cb6bee82afc92b35264f6 (diff) | |
download | samba-68f55294eb0c37da3c4e3f76d5c3154e762d46ad.tar.gz |
HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
On an RODC we need to redirect failing preauthentication to an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index c1d4cb1d4aa..9684364c519 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context, free_EncryptedData(&enc_data); - if (clientdb->hdb_auth_status) - (clientdb->hdb_auth_status)(context, clientdb, client, + if (clientdb->hdb_auth_status) { + ret = (clientdb->hdb_auth_status)(context, clientdb, client, from_addr, &_kdc_now, client_name, str ? str : "unknown enctype", HDB_AUTH_WRONG_PASSWORD); + if (ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name); + free(str); + goto out; + } + } free(str); |