From d3de015b795243761f9e1c74b2dc0ba363115c37 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 3 Jul 2009 04:32:56 +0000
Subject: [PATCH] Check locked-out flag for client and server.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25306 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 6d74f32f14c..a4bca2af0db 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -678,6 +678,12 @@ kdc_check_flags(krb5_context context,
 	hdb_entry *client = &client_ex->entry;
 
 	/* check client */
+	if (client->flags.locked_out) {
+	    kdc_log(context, config, 0,
+		    "Client (%s) is locked out", client_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
 	if (client->flags.invalid) {
 	    kdc_log(context, config, 0,
 		    "Client (%s) has invalid bit set", client_name);
@@ -727,6 +733,11 @@ kdc_check_flags(krb5_context context,
     if (server_ex != NULL) {
 	hdb_entry *server = &server_ex->entry;
 
+	if (server->flags.locked_out) {
+	    kdc_log(context, config, 0,
+		    "Client server locked out -- %s", server_name);
+	    return KRB5KDC_ERR_POLICY;
+	}
 	if (server->flags.invalid) {
 	    kdc_log(context, config, 0,
 		    "Server has invalid flag set -- %s", server_name);
-- 
2.11.4.GIT