HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE

On an RODC we need to redirect failing preauthentication to an RWDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher <metze@samba.org> (similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)
author: Stefan Metzmacher <metze@samba.org> 2022-02-18 17:17:02 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-03-18 10:39:16 +0000
commit: 68f55294eb0c37da3c4e3f76d5c3154e762d46ad (patch)
tree: 155d2f315543f1cf819932217fda138e440f7246
parent: 3ae7ead5fd53e5ca590cb6bee82afc92b35264f6 (diff)
download: samba-68f55294eb0c37da3c4e3f76d5c3154e762d46ad.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c1d4cb1d4aa..9684364c519 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context,
 
 		free_EncryptedData(&enc_data);
 
-		if (clientdb->hdb_auth_status)
-		    (clientdb->hdb_auth_status)(context, clientdb, client,
+		if (clientdb->hdb_auth_status) {
+		    ret = (clientdb->hdb_auth_status)(context, clientdb, client,
 						from_addr,
 						&_kdc_now,
 						client_name,
 						str ? str : "unknown enctype",
 						HDB_AUTH_WRONG_PASSWORD);
+		    if (ret == HDB_ERR_NOT_FOUND_HERE) {
+			kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name);
+			free(str);
+			goto out;
+		    }
+		}
 
 		free(str);
author	Stefan Metzmacher <metze@samba.org>	2022-02-18 17:17:02 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-03-18 10:39:16 +0000
commit	68f55294eb0c37da3c4e3f76d5c3154e762d46ad (patch)
tree	155d2f315543f1cf819932217fda138e440f7246
parent	3ae7ead5fd53e5ca590cb6bee82afc92b35264f6 (diff)
download	samba-68f55294eb0c37da3c4e3f76d5c3154e762d46ad.tar.gz