validate that default@ have KRB5_KDB_DISALLOW_ALL_TIX

kadmin/check.c

@@ -51,7 +51,7 @@ get_check_entry(const char *name, kadm5_principal_ent_rec *ent)
     }
 
     memset(ent, 0, sizeof(*ent));
-    ret = kadm5_get_principal(kadm_handle, principal, ent, 0);
+    ret = kadm5_get_principal(kadm_handle, principal, ent, KADM5_ATTRIBUTES);
     krb5_free_principal(context, principal);
     if(ret)
 	return 1;
@@ -184,6 +184,35 @@ check(void *opt, int argc, char **argv)
 
     kadm5_free_principal_ent(kadm_handle, &ent);
 
+    /*
+     * Check default@REALM
+     *
+     * Check that disallow-all-tix is set on the default principal
+     * (or that the entry doesn't exists)
+     */
+
+    if (asprintf(&p, "default@%s", realm) == -1) {
+	krb5_warn(context, errno, "asprintf");
+	goto fail;
+    }
+
+    ret = get_check_entry(p, &ent);
+    if (ret == 0) {
+	if ((ent.attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0) {
+	    printf("default template entry is not disabled\n");
+	    ret = EINVAL;
+	}
+	kadm5_free_principal_ent(kadm_handle, &ent);
+
+    } else {
+	ret = 0;
+    }
+
+    free(p);
+
+    if (ret)
+	goto fail;
+
     /*
      * Check for duplicate afs keys
      */