From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 20 Mar 2025 01:02:11 +0000 (+0100)
Subject: s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE
X-Git-Tag: tevent-0.17.0~397
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12a1f504dcf42a5c243aebb57502f5fd0b199540;p=thirdparty%2Fsamba.git

s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE

It means the client is remote and the kdc logic has to live without
an sdb_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 1f8574e9ef5..9a76ec8271d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3401,6 +3401,18 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 		if (flags & SDB_F_FOR_AS_REQ) {
 			check_realm = true;
 		}
+		if ((flags & SDB_F_FOR_TGS_REQ) &&
+		    (flags & SDB_F_CROSS_REALM_PRINCIPAL))
+		{
+			/*
+			 * The request is not for us...
+			 * Let the caller ignore that
+			 * the client is remote and
+			 * has no local sdb_entry.
+			 */
+			TALLOC_FREE(frame);
+			return SDB_ERR_NOT_FOUND_HERE;
+		}
 	}
 	if (flags & SDB_F_GET_SERVER) {
 		if (flags & SDB_F_FOR_TGS_REQ) {