From 60024cdd730bc2c97ab80b1e8c7d26da9f9bd624 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 25 Nov 2013 14:09:48 +1300
Subject: [PATCH] kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to
 NT_STATUS_ACCOUNT_LOCKED_OUT

Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/libads/krb5_errs.c          | 2 +-
 source4/auth/gensec/gensec_gssapi.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
index d4ff09a5106..8eb5d8247b1 100644
--- a/source3/libads/krb5_errs.c
+++ b/source3/libads/krb5_errs.c
@@ -28,7 +28,7 @@ static const struct {
 } krb5_to_nt_status_map[] = {
 	{KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR},
 	{KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER},
-	{KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCOUNT_LOCKED_OUT},
 	{KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
 	{KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
 #if defined(KRB5KDC_ERR_KEY_EXP) /* MIT */
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0bb307f989a..63fda1f807d 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -306,6 +306,9 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
 	case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
 		DEBUG(1, ("Wrong username or password: %s\n", error_string));
 		return NT_STATUS_LOGON_FAILURE;
+	case KRB5KDC_ERR_CLIENT_REVOKED:
+		DEBUG(1, ("Account locked out: %s\n", error_string));
+		return NT_STATUS_ACCOUNT_LOCKED_OUT;
 	case KRB5_KDC_UNREACH:
 		DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
 		return NT_STATUS_NO_LOGON_SERVERS;
-- 
2.11.4.GIT