From d202191f9c6f304cfd603b1a78a56bb5a33fec49 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 18 Feb 2014 13:53:38 +1300
Subject: [PATCH] heimdal: Only indicate successful authentication after
 successful authz

This is needed to match Windows behaviour for NTLM logins.

Andrew Bartlett

Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/heimdal/kdc/kerberos5.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 939d1b01423..bab4b8ca542 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1448,10 +1448,6 @@ _kdc_as_rep(krb5_context context,
 	goto out;
     }
 
-    if (clientdb->hdb_auth_status)
-	(clientdb->hdb_auth_status)(context, clientdb, client,
-				    HDB_AUTH_SUCCESS);
-
     /*
      * Verify flags after the user been required to prove its identity
      * with in a preauth mech.
@@ -1463,6 +1459,10 @@ _kdc_as_rep(krb5_context context,
     if(ret)
 	goto out;
 
+    if (clientdb->hdb_auth_status)
+	(clientdb->hdb_auth_status)(context, clientdb, client,
+				    HDB_AUTH_SUCCESS);
+
     /*
      * Selelct the best encryption type for the KDC with out regard to
      * the client since the client never needs to read that data.
-- 
2.11.4.GIT