ipa-kdb: when processing transitions, hand over unknown ones to KDC

When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Alexander Bokovoy <abokovoy@redhat.com> 2014-12-05 21:22:23 +0200
committer: Martin Kosek <mkosek@redhat.com> 2015-02-16 16:29:59 +0100
commit: 92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92 (patch)
tree: 891646959e9ba01e3f6cf1ff840eedf22b92992e /daemons
parent: 5247c0c4e2e2e02180e4cbf56aa68df57d1a8cf9 (diff)
download: freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.gz
freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.xz
freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0f47d1f4b..88c432116 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2685,7 +2685,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
 		}
 	}
 
-	ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	/* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */
+	ret = KRB5_PLUGIN_NO_HANDLE;
 	if (has_client_realm && has_transited_contents && has_server_realm) {
 		ret = 0;
 	}
author	Alexander Bokovoy <abokovoy@redhat.com>	2014-12-05 21:22:23 +0200
committer	Martin Kosek <mkosek@redhat.com>	2015-02-16 16:29:59 +0100
commit	92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92 (patch)
tree	891646959e9ba01e3f6cf1ff840eedf22b92992e /daemons
parent	5247c0c4e2e2e02180e4cbf56aa68df57d1a8cf9 (diff)
download	freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.gz freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.xz freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.zip