heimdal: Do not attempt password authentication for locked out accounts

Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2013-11-28 13:28:29 +1300
committer: Stefan Metzmacher <metze@samba.org> 2014-04-02 17:12:47 +0200
commit: 30bae409477da2c42d41ce2d42fa85b86d799c98 (patch)
tree: 3bc9d00e7150e7d3ca2a1a3b5443fc98ce4a7256
parent: 7e653f5ae28c822c2e9c42dd2853126f7f86f0f0 (diff)
download: samba-30bae409477da2c42d41ce2d42fa85b86d799c98.tar.gz
samba-30bae409477da2c42d41ce2d42fa85b86d799c98.tar.xz
samba-30bae409477da2c42d41ce2d42fa85b86d799c98.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c13abb7ce0..20fbe409fe 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1175,6 +1175,14 @@ _kdc_as_rep(krb5_context context,
 	}
     ts_enc:
 #endif
+
+	if (client->entry.flags.locked_out) {
+	    ret = KRB5KDC_ERR_CLIENT_REVOKED;
+	    kdc_log(context, config, 0,
+		    "Client (%s) is locked out", client_name);
+	    goto out;
+	}
+
 	kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
 		client_name);
author	Andrew Bartlett <abartlet@samba.org>	2013-11-28 13:28:29 +1300
committer	Stefan Metzmacher <metze@samba.org>	2014-04-02 17:12:47 +0200
commit	30bae409477da2c42d41ce2d42fa85b86d799c98 (patch)
tree	3bc9d00e7150e7d3ca2a1a3b5443fc98ce4a7256
parent	7e653f5ae28c822c2e9c42dd2853126f7f86f0f0 (diff)
download	samba-30bae409477da2c42d41ce2d42fa85b86d799c98.tar.gz samba-30bae409477da2c42d41ce2d42fa85b86d799c98.tar.xz samba-30bae409477da2c42d41ce2d42fa85b86d799c98.zip