From 17f8ec6f57a831de90bf66fd7523b4d1148cb397 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Mon, 27 Jun 2022 16:04:56 +0200
Subject: [PATCH] s4:mitkdc: Always set SDB_F_FOR_{TGS,AS}_REQ flag for DAL >=
 9

The KRB5_KDB_FLAG_REFERRAL_OK is to indicate wether a realm referral is
allowed. In AD this is always allowed. Also there is no way to pass that
indication to the SamDB layer.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Mon Jul  4 12:22:16 UTC 2022 on sn-devel-184
---
 source4/kdc/mit_samba.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index c264191bf6b..e316c57ee31 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -234,10 +234,7 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
 
 	if (kflags & KRB5_KDB_FLAG_CLIENT) {
 		sflags |= SDB_F_GET_CLIENT;
-
-		if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
-			sflags |= SDB_F_FOR_AS_REQ;
-		}
+		sflags |= SDB_F_FOR_AS_REQ;
 	} else {
 		int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
 		if (equal == -1) {
@@ -248,10 +245,7 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
 			sflags |= SDB_F_GET_KRBTGT;
 		} else {
 			sflags |= SDB_F_GET_SERVER;
-
-			if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
-				sflags |= SDB_F_FOR_TGS_REQ;
-			}
+			sflags |= SDB_F_FOR_TGS_REQ;
 		}
 	}
 #else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */
-- 
2.47.3