Patch from Andrew bartlett via heimdal-bugs@h5l.org

kdc Allow a password change when the password is expired

    This requires a rework on Heimdal's windc plugin layer, as we want
    full control over what tickets Heimdal will issue.  (In particular, in
    case our requirements become more complex in future).

    The original problem was that Heimdal's check would permit the ticket,
    but Samba would then deny it, not knowing it was for kadmin/changepw

    Andrew Bartlett

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b

kdc/kerberos5.c

@@ -668,11 +668,11 @@ log_as_req(krb5_context context,
  */
 
 krb5_error_code
-_kdc_check_flags(krb5_context context,
-		 krb5_kdc_configuration *config,
-		 hdb_entry_ex *client_ex, const char *client_name,
-		 hdb_entry_ex *server_ex, const char *server_name,
-		 krb5_boolean is_as_req)
+kdc_check_flags(krb5_context context,
+		krb5_kdc_configuration *config,
+		hdb_entry_ex *client_ex, const char *client_name,
+		hdb_entry_ex *server_ex, const char *server_name,
+		krb5_boolean is_as_req)
 {
     if(client_ex != NULL) {
 	hdb_entry *client = &client_ex->entry;
@@ -921,7 +921,6 @@ _kdc_as_rep(krb5_context context,
 		"AS-REQ malformed server name from %s", from);
 	goto out;
     }
-
     if(b->cname == NULL){
 	ret = KRB5KRB_ERR_GENERIC;
 	e_text = "No client in request";
@@ -1329,14 +1328,9 @@ _kdc_as_rep(krb5_context context,
      * with in a preauth mech.
      */
 
-    ret = _kdc_check_flags(context, config,
-			   client, client_name,
-			   server, server_name,
-			   TRUE);
-    if(ret)
-	goto out;
-
-    ret = _kdc_windc_client_access(context, client, req, &e_data);
+    ret = _kdc_check_access(context, config, client, client_name,
+			    server, server_name,
+			    req, &e_data);
     if(ret)
 	goto out;