From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 18 Feb 2022 16:17:02 +0000 (+0100)
Subject: HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
X-Git-Tag: samba-4.14.13~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68f55294eb0c37da3c4e3f76d5c3154e762d46ad;p=thirdparty%2Fsamba.git

HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE

On an RODC we need to redirect failing preauthentication to an RWDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)
---

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c1d4cb1d4aa..9684364c519 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context,
 
 		free_EncryptedData(&enc_data);
 
-		if (clientdb->hdb_auth_status)
-		    (clientdb->hdb_auth_status)(context, clientdb, client,
+		if (clientdb->hdb_auth_status) {
+		    ret = (clientdb->hdb_auth_status)(context, clientdb, client,
 						from_addr,
 						&_kdc_now,
 						client_name,
 						str ? str : "unknown enctype",
 						HDB_AUTH_WRONG_PASSWORD);
+		    if (ret == HDB_ERR_NOT_FOUND_HERE) {
+			kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name);
+			free(str);
+			goto out;
+		    }
+		}
 
 		free(str);