From 05a5c19e417be605aa49327e42ac3ba2335c4646 Mon Sep 17 00:00:00 2001
From: Johan Danielsson <joda@pdc.kth.se>
Date: Fri, 20 Mar 1998 23:48:37 +0000
Subject: [PATCH] (tgs_rep2): check for interesting flags on involved
 principals.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4614 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 100dd7288..2d10add0d 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1464,6 +1464,32 @@ tgs_rep2(KDC_REQ_BODY *b,
 	}
 #endif
 
+	/* check principal flags */
+	if(server->flags.invalid) {
+	    kdc_log(0, "%s has `invalid' flag set", spn);
+	    ret = KRB5KDC_ERR_SERVICE_NOTYET;
+	    goto out;
+	}
+	if(!server->flags.server) {
+	    kdc_log(0, "%s may not act as server", spn);
+	    ret = KRB5KDC_ERR_POLICY;
+	    goto out;
+	}
+	if(server->flags.initial) {
+	    kdc_log(0, "%s has `initial' flag set", spn);
+	    ret = KRB5KDC_ERR_POLICY;
+	    goto out;
+	}
+	if(client->flags.invalid) {
+	    kdc_log(0, "%s has `invalid' flag set", cpn);
+	    ret = KRB5KDC_ERR_CLIENT_NOTYET;
+	    goto out;
+	}
+	if(!client->flags.client) {
+	    kdc_log(0, "%s may not act as client", cpn);
+	    ret = KRB5KDC_ERR_POLICY;
+	    goto out;
+	}
 
 	if((b->kdc_options.validate || b->kdc_options.renew) && 
 	   !krb5_principal_compare(context,