From 30bae409477da2c42d41ce2d42fa85b86d799c98 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 28 Nov 2013 13:28:29 +1300
Subject: heimdal: Do not attempt password authentication for locked out
 accounts

Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/heimdal/kdc/kerberos5.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c13abb7ce0..20fbe409fe 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1175,6 +1175,14 @@ _kdc_as_rep(krb5_context context,
 	}
     ts_enc:
 #endif
+
+	if (client->entry.flags.locked_out) {
+	    ret = KRB5KDC_ERR_CLIENT_REVOKED;
+	    kdc_log(context, config, 0,
+		    "Client (%s) is locked out", client_name);
+	    goto out;
+	}
+
 	kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
 		client_name);
 
-- 
cgit