kdc: return revoked error if principal locked out

According to #788, Windows clients expect a revoked error to be returned if the
client or service is locked out, rather than a generic policy error. This
should not affect non-Windows paths as the locked_out HDB entry flag is
otherwise not used by Heimdal.
This commit is contained in:
Luke Howard
2021-08-06 12:33:13 +10:00
parent 75829cad18
commit 5ba7f270eb

View File

@@ -1527,7 +1527,7 @@ kdc_check_flags(astgs_request_t r, krb5_boolean is_as_req)
/* check client */
if (client->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
return KRB5KDC_ERR_POLICY;
return KRB5KDC_ERR_CLIENT_REVOKED;
}
if (client->flags.invalid) {
@@ -1582,7 +1582,7 @@ kdc_check_flags(astgs_request_t r, krb5_boolean is_as_req)
if (server->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Server locked out");
return KRB5KDC_ERR_POLICY;
return KRB5KDC_ERR_SERVICE_REVOKED;
}
if (server->flags.invalid) {
_kdc_audit_addreason((kdc_request_t)r,