From 373a04870d6ecc99145a6267c008702ed3e24171 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 10 Dec 2014 14:59:38 +0200
Subject: ipa-kdb: reject principals from disabled domains as a KDC policy

Fixes https://fedorahosted.org/freeipa/ticket/4788

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 88c432116..0e53a8099 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1372,7 +1372,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
                                    &domain->parent->sid_blacklist_incoming[k], true);
             if (result) {
                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
-                return EINVAL;
+                return KRB5KDC_ERR_POLICY;
             }
         }
     }
-- 
cgit