HEIMDAL:kdc: make it possible to disable the principal based referral detection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

3 files changed, 6 insertions, 1 deletions

diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index 6fbf5fdae15..0129c5d3c54 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->preauth_use_strongest_session_key = FALSE;
     c->tgs_use_strongest_session_key = FALSE;
     c->use_strongest_server_key = TRUE;
+    c->autodetect_referrals = TRUE;
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
     c->allow_anonymous = FALSE;
diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
index 9d52fd4c2ec..16263d6919b 100644
--- a/source4/heimdal/kdc/kdc.h
+++ b/source4/heimdal/kdc/kdc.h
@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean allow_anonymous;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean autodetect_referrals;
+
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 334a6eb1dc8..a888788bb6f 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1660,7 +1660,9 @@ server_lookup:
 	Realm req_rlm;
 	krb5_realm *realms;
 
-	if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+	if (!config->autodetect_referrals) {
+		/* noop */
+	} else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
 	    if(nloop++ < 2) {
 		new_rlm = find_rpath(context, tgt->crealm, req_rlm);
 		if(new_rlm) {