From ca35aebc5db80bc0d5ce785d68e886f2ee0ee21e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 21 Sep 2017 12:02:25 +0200
Subject: [PATCH] s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to
 HDB_ERR_NOT_FOUND_HERE

HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC.

We should not map any error to HDB_ERR_NOT_FOUND_HERE,
we should just pass errors along unmapped.

Otherwise we'll hit the logic bug in:

    if (ret == KDC_PROXY_REQUEST) {
        uint16_t port;

        if (!sock->kdc_socket->kdc->am_rodc) {
            DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC"));
                    talloc_free(call);
            goto done;
        }

And just don't send an error message to the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec  6 23:16:54 CET 2017 on sn-devel-144

(cherry picked from commit aaa946bb9eb8088389b8ffdec460023f1961616c)
---
 source4/kdc/hdb-samba4.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 85d166f..47eaa1c 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -114,8 +114,10 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
 		break;
 	case SDB_ERR_NOENTRY:
 		return HDB_ERR_NOENTRY;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		return HDB_ERR_NOT_FOUND_HERE;
+	default:
+		return ret;
 	}
 
 	ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
@@ -146,8 +148,10 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign
 		return HDB_ERR_WRONG_REALM;
 	case SDB_ERR_NOENTRY:
 		return HDB_ERR_NOENTRY;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		return HDB_ERR_NOT_FOUND_HERE;
+	default:
+		return ret;
 	}
 
 	ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
@@ -173,8 +177,10 @@ static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigne
 		return HDB_ERR_WRONG_REALM;
 	case SDB_ERR_NOENTRY:
 		return HDB_ERR_NOENTRY;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		return HDB_ERR_NOT_FOUND_HERE;
+	default:
+		return ret;
 	}
 
 	ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
@@ -214,9 +220,11 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
 	case SDB_ERR_NOENTRY:
 		ret = HDB_ERR_NOENTRY;
 		break;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		ret = HDB_ERR_NOT_FOUND_HERE;
 		break;
+	default:
+		break;
 	}
 
 	return ret;
@@ -248,9 +256,11 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
 	case SDB_ERR_NOENTRY:
 		ret = HDB_ERR_NOENTRY;
 		break;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		ret = HDB_ERR_NOT_FOUND_HERE;
 		break;
+	default:
+		break;
 	}
 
 	return ret;
@@ -282,9 +292,11 @@ hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
 	case SDB_ERR_NOENTRY:
 		ret = HDB_ERR_NOENTRY;
 		break;
-	default:
+	case SDB_ERR_NOT_FOUND_HERE:
 		ret = HDB_ERR_NOT_FOUND_HERE;
 		break;
+	default:
+		break;
 	}
 
 	return ret;
-- 
1.9.1