heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten

This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 19 insertions, 4 deletions

diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 869c6766d04..4ef5439cf14 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -98,18 +98,33 @@ _kdc_db_fetch(krb5_context context,
 					    ent);
 	config->db[i]->hdb_close(context, config->db[i]);
 
-	if (ret == 0) {
+	switch (ret) {
+	case 0:
 	    if (db)
 		*db = config->db[i];
 	    *h = ent;
             ent = NULL;
             goto out;
+
+	case HDB_ERR_NOENTRY:
+	    /* Check the other databases */
+	    continue;
+
+	default:
+	    /* 
+	     * This is really important, because errors like
+	     * HDB_ERR_NOT_FOUND_HERE (used to indicate to Samba that
+	     * the RODC on which this code is running does not have
+	     * the key we need, and so a proxy to the KDC is required)
+	     * have specific meaning, and need to be propogated up.
+	     */
+	    goto out;
 	}
     }
 
-    ret = HDB_ERR_NOENTRY;
-    krb5_set_error_message(context, ret, "no such entry found in hdb");
-
+    if (ret == HDB_ERR_NOENTRY) {
+	krb5_set_error_message(context, ret, "no such entry found in hdb");
+    }
 out:
     krb5_free_principal(context, enterprise_principal);
     free(ent);