heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
Windows does not check the password on an account that has been locked. Heimdal does not implement locked_out, however the Samba hdb backend does, and needs this checked before passwords (for bad password lockout), not after in kdc_check_access(). Based on work to update Samba to current Heimdal by Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett
committed by
Luke Howard
Luke Howard
parent
f03983b64d
commit
33fccb8bbe
@@ -580,6 +580,13 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (r->client->entry.flags.locked_out) {
|
||||||
|
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
|
kdc_log(r->context, r->config, 0,
|
||||||
|
"Client (%s) is locked out", r->cname);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
ret = decode_EncryptedData(pa->padata_value.data,
|
ret = decode_EncryptedData(pa->padata_value.data,
|
||||||
pa->padata_value.length,
|
pa->padata_value.length,
|
||||||
&enc_data,
|
&enc_data,
|
||||||
@@ -722,6 +729,13 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
|||||||
Key *pa_key;
|
Key *pa_key;
|
||||||
char *str;
|
char *str;
|
||||||
|
|
||||||
|
if (r->client->entry.flags.locked_out) {
|
||||||
|
ret = KRB5KDC_ERR_CLIENT_REVOKED;
|
||||||
|
kdc_log(r->context, r->config, 0,
|
||||||
|
"Client (%s) is locked out", r->cname);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
ret = decode_EncryptedData(pa->padata_value.data,
|
ret = decode_EncryptedData(pa->padata_value.data,
|
||||||
pa->padata_value.length,
|
pa->padata_value.length,
|
||||||
&enc_data,
|
&enc_data,
|
||||||
|
|||||||
Reference in New Issue
Block a user