ipa-kdb: reject principals from disabled domains as a KDC policy

Fixes https://fedorahosted.org/freeipa/ticket/4788 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Alexander Bokovoy <abokovoy@redhat.com> 2014-12-10 14:59:38 +0200
committer: Martin Kosek <mkosek@redhat.com> 2015-02-16 16:30:57 +0100
commit: 373a04870d6ecc99145a6267c008702ed3e24171 (patch)
tree: 9c1bb0722a3c841842d3a12efda1bb6d10463b8c
parent: 92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92 (diff)
download: freeipa-373a04870d6ecc99145a6267c008702ed3e24171.tar.gz
freeipa-373a04870d6ecc99145a6267c008702ed3e24171.tar.xz
freeipa-373a04870d6ecc99145a6267c008702ed3e24171.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 88c432116..0e53a8099 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1372,7 +1372,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
                                    &domain->parent->sid_blacklist_incoming[k], true);
             if (result) {
                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
-                return EINVAL;
+                return KRB5KDC_ERR_POLICY;
             }
         }
     }
author	Alexander Bokovoy <abokovoy@redhat.com>	2014-12-10 14:59:38 +0200
committer	Martin Kosek <mkosek@redhat.com>	2015-02-16 16:30:57 +0100
commit	373a04870d6ecc99145a6267c008702ed3e24171 (patch)
tree	9c1bb0722a3c841842d3a12efda1bb6d10463b8c
parent	92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92 (diff)
download	freeipa-373a04870d6ecc99145a6267c008702ed3e24171.tar.gz freeipa-373a04870d6ecc99145a6267c008702ed3e24171.tar.xz freeipa-373a04870d6ecc99145a6267c008702ed3e24171.zip