hdb_entry *client = &client_ex->entry;
/* check client */
+ if (client->flags.locked_out) {
+ kdc_log(context, config, 0,
+ "Client (%s) is locked out", client_name);
+ return KRB5KDC_ERR_POLICY;
+ }
+
if (client->flags.invalid) {
kdc_log(context, config, 0,
"Client (%s) has invalid bit set", client_name);
if (server_ex != NULL) {
hdb_entry *server = &server_ex->entry;
+ if (server->flags.locked_out) {
+ kdc_log(context, config, 0,
+ "Client server locked out -- %s", server_name);
+ return KRB5KDC_ERR_POLICY;
+ }
if (server->flags.invalid) {
kdc_log(context, config, 0,
"Server has invalid flag set -- %s", server_name);
AS_REP rep;
KDCOptions f = b->kdc_options;
hdb_entry_ex *client = NULL, *server = NULL;
+ HDB *clientdb;
krb5_enctype cetype, setype, sessionetype;
krb5_data e_data;
EncTicketPart et;
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, NULL, &client);
+ HDB_F_GET_CLIENT | flags, &clientdb, &client);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret));
"No client key matching pa-data (%s) -- %s",
estr, client_name);
free(estr);
-
free_EncryptedData(&enc_data);
+
continue;
}
e_text = "Failed to decrypt PA-DATA";
free_EncryptedData(&enc_data);
+
+ if (clientdb->hdb_auth_status)
+ (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD);
+
ret = KRB5KDC_ERR_PREAUTH_FAILED;
continue;
}
goto out;
}
+ if (clientdb->hdb_auth_status)
+ (clientdb->hdb_auth_status)(context, clientdb, client,
+ HDB_AUTH_SUCCESS);
+
/*
* Verify flags after the user been required to prove its identity
* with in a preauth mech.