sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00
Code

s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODC

Browse Source 
This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.

(The proxy code itself is not in this commit).

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2010-11-12 12:32:50 +11:00 committed by Andrew Tridgell
parent aa1c32ccb0
commit e7fb5a6c91
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source4/kdc/db-glue.c
View File

@ -192,6 +192,7 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
}
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
uint32_t rid,
@ -376,6 +377,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
if (allocated_keys == 0) {
if (kdc_db_ctx->rodc) {
/* We are on an RODC, but don't have keys for this account. Signal this to the caller */
return HDB_ERR_NOT_FOUND_HERE;
}
/* oh, no password. Apparently (comment in
* hdb-ldap.c) this violates the ASN.1, but this
* allows an entry with no keys (yet). */
@ -768,7 +774,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.generation = NULL;
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, p, msg,
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl,
ent_type, entry_ex);
if (ret) {