ipa-kdb: when processing transitions, hand over unknown ones to KDC

When processing cross-realm trust transitions, let the KDC to handle those we don't know about. Admins might define the transitions as explicit [capaths] in krb5.conf. https://fedorahosted.org/freeipa/ticket/4791 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-01-28 09:06:44 -06:00 · 2014-12-05 21:22:23 +02:00 · 2014-12-05 21:22:23 +02:00 · 92c3a9f1fd
commit 92c3a9f1fd
parent 5247c0c4e2
1 changed files with 2 additions and 1 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@ -2685,7 +2685,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
 		}
 	}

-	ret = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	/* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */
+	ret = KRB5_PLUGIN_NO_HANDLE;
 	if (has_client_realm && has_transited_contents && has_server_realm) {
 		ret = 0;
 	}