| commit | 33fccb8bbec20b8a01263b629571404662b3a9c3 | |
| author | Andrew Bartlett <abartlet@samba.org> | |
| Wed, 30 Jun 2021 09:57:28 +0000 (30 21:57 +1200) | ||
| committer | Luke Howard <lukeh@padl.com> | |
| Fri, 6 Aug 2021 02:48:12 +0000 (6 12:48 +1000) | ||
| tree | c3dcd4d2dc5c6c0051aa8d2e65d35383c0530d48 | treesnapshot (tar.gz zip) |
| parent | f03983b64d82da4ae8e2b510ebb6ad3f454d0c4d | commitdiff |
heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
Windows does not check the password on an account that has been locked.
Heimdal does not implement locked_out, however the Samba hdb
backend does, and needs this checked before passwords (for bad
password lockout), not after in kdc_check_access().
Based on work to update Samba to current Heimdal by
Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of
Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted
that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Windows does not check the password on an account that has been locked.
Heimdal does not implement locked_out, however the Samba hdb
backend does, and needs this checked before passwords (for bad
password lockout), not after in kdc_check_access().
Based on work to update Samba to current Heimdal by
Gary Lockyer <gary@catalyst.net.nz> and including cherry-pick of
Samba commit 580a705b83014e94556b9d5a8877406816e02190 which noted
that we need to return KRB5KDC_ERR_CLIENT_REVOKED to match Windows.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| kdc/kerberos5.c | diffblobblamehistory |