oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out

Browse Source 
Windows does not check the password on an account that has been locked.

Heimdal does not implement locked_out, however the Samba hdb
backend does, and needs this checked before passwords (for bad
password lockout), not after in kdc_check_access().

Based on work to update Samba to current Heimdal by
Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of
Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted
that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Bartlett
2021-06-30 21:57:28 +12:00
committed by Luke Howard
parent f03983b64d
commit 33fccb8bbe
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
kdc/kerberos5.c
View File

@@ -580,6 +580,13 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
if (r->client->entry.flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
return ret;
}
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
@@ -722,6 +729,13 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
Key *pa_key;
char *str;
if (r->client->entry.flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
return ret;
}
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,