s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry()

This avoids making a call out in samba_kdc_message2entry_keys() and allows
for potential reuse of the key parsing code.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

source4/kdc/db-glue.c

@@ -904,21 +904,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	}
 	entry->kvno = returned_kvno;
 
-	if (entry->keys.len == 0) {
-		if (kdc_db_ctx->rodc) {
-			/* We are on an RODC, but don't have keys for this account.  Signal this to the caller */
-			auth_sam_trigger_repl_secret(kdc_db_ctx, kdc_db_ctx->msg_ctx,
-						     kdc_db_ctx->ev_ctx, msg->dn);
-			return SDB_ERR_NOT_FOUND_HERE;
-		}
-
-		/*
-		 * oh, no password.  Apparently (comment in
-		 * hdb-ldap.c) this violates the ASN.1, but this
-		 * allows an entry with no keys (yet).
-		 */
-	}
-
 out:
 	return ret;
 }
@@ -1421,6 +1406,26 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		goto out;
 	}
 
+	if (entry->keys.len == 0) {
+		if (kdc_db_ctx->rodc) {
+			/*
+			 * We are on an RODC, but don't have keys for this
+			 * account.  Signal this to the caller
+			 */
+			auth_sam_trigger_repl_secret(kdc_db_ctx,
+						     kdc_db_ctx->msg_ctx,
+						     kdc_db_ctx->ev_ctx,
+						     msg->dn);
+			return SDB_ERR_NOT_FOUND_HERE;
+		}
+
+		/*
+		 * oh, no password.  Apparently (comment in
+		 * hdb-ldap.c) this violates the ASN.1, but this
+		 * allows an entry with no keys (yet).
+		 */
+	}
+
 	p->msg = talloc_steal(p, msg);
 	p->supported_enctypes = supported_enctypes;