A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.

entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).

This is needed to route enterprise principals between AD domain trusts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

The value of this commit to Samba is to continue to match Heimdal's
upstream code in this area.  Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL
there is no runtime difference.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

The useful change in Samba from this commit is that we gain
validation of the enterprise principal name.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.

Andrew Bartlett

This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Andrew Bartlett