WIP: debug client referral

daemons/ipa-kdb/ipa_kdb_principals.c

@@ -1290,6 +1290,8 @@ static krb5_error_code ipadb_process_enterprise_principal(krb5_context kcontext,
     /* enterprise principal can only have single component in the name
      * according to RFC6806 section 5. */
     if (krb5_princ_size(kcontext, search_for) != 1) {
+        krb5_klog_syslog(LOG_ERR,
+                            "enterprise principal has more than one component!\n");
         kerr = KRB5_KDB_NOENTRY;
         goto done;
     }
@@ -1301,6 +1303,8 @@ static krb5_error_code ipadb_process_enterprise_principal(krb5_context kcontext,
         goto done;
     }
 
+    krb5_klog_syslog(LOG_ERR,
+                        "inner principal is %s\n", principal);
     /* Re-parse the principal to normalize it */
     kerr = krb5_parse_name(kcontext, principal, &norm_princ);
     if (kerr != 0) {
@@ -1309,21 +1313,15 @@ static krb5_error_code ipadb_process_enterprise_principal(krb5_context kcontext,
 
     *in_realm = krb5_realm_compare(kcontext, ipactx->local_tgs, norm_princ);
     if (*in_realm) {
+        krb5_klog_syslog(LOG_ERR,
+                            "inner principal is ours\n");
         kerr = 0;
         *out_princ = norm_princ;
         goto done;
     }
 
     /* the request is out of realm from here */
 
-    if (((flags & KRB5_KDB_FLAG_CANONICALIZE) == 0) ||
-        ((flags & KRB5_KDB_FLAG_INCLUDE_PAC) != 0)) {
-        /* out of realm, no way to find this entry */
-        krb5_free_principal(kcontext, norm_princ);
-        kerr = KRB5_KDB_NOENTRY;
-        goto done;
-    }
-
     /* Determine the trusted realm to refer to */
     realm = krb5_princ_realm(kcontext, norm_princ);
     kerr = ipadb_is_princ_from_trusted_realm(kcontext,
@@ -1344,10 +1342,27 @@ static krb5_error_code ipadb_process_enterprise_principal(krb5_context kcontext,
     }
 
     if (kerr != 0) {
-        goto done;
+        if (flags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_CANONICALIZE)) {
+            /* client referral to unknown realm. It could be our own UPN */
+            *out_princ = norm_princ;
+            kerr = KRB5_KDB_NOENTRY;
+            goto done;
+        } else {
+            /* out of realm, no way to find this entry */
+            krb5_free_principal(kcontext, norm_princ);
+            kerr = KRB5_KDB_NOENTRY;
+            krb5_klog_syslog(LOG_ERR,
+                                "out of realm, we don't know it, flags=%x\n", flags);
+            goto done;
+        }
     }
 
-    if (flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) {
+    krb5_klog_syslog(LOG_ERR,
+                        "kerr=%d, trusted realm is %s\n", kerr, trusted_realm);
+
+    if (flags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_CANONICALIZE)) {
+        krb5_klog_syslog(LOG_ERR,
+                            "client referral, moving to realm %s\n", trusted_realm);
         /* client referral: force trusted realm in response */
         krb5_free_principal(kcontext, norm_princ);
         kerr = krb5_copy_principal(kcontext, search_for, &norm_princ);
@@ -1364,6 +1379,8 @@ static krb5_error_code ipadb_process_enterprise_principal(krb5_context kcontext,
     } else {
         /* server referrals: lookup krbtgt/next_realm@our_realm */
         krb5_principal tgtp;
+        krb5_klog_syslog(LOG_ERR,
+                            "server referral, moving to realm %s\n", trusted_realm);
 
         krb5_free_principal(kcontext, norm_princ);
         kerr = krb5_build_principal_ext(kcontext, &tgtp,
@@ -1441,6 +1458,11 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
                 goto done;
             }
         }
+    } else if (((kerr == KRB5_KDB_NOENTRY) && (norm_princ != NULL)) &&
+               (flags &
+                (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_CANONICALIZE))) {
+        /* possible UPN to look up */
+        look_for = norm_princ;
     } else if (kerr == KRB5KDC_ERR_BADOPTION) {
         look_for = search_for;
     } else {