kdc: Do not return ETYPE-INFO if the client is locked out

This matches the behaviour of Windows.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 7b7919832a3b65acd3e1ac8c91f6463591a40f7c..de9dac029eeea3c48e3c0ee9409962b07699bb4c 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2538,14 +2538,16 @@ _kdc_as_rep(astgs_request_t r)
                    /*
                     * If there is a client key, send ETYPE_INFO{,2}
                     */
-                   ret2 = _kdc_find_etype(r, KFE_IS_PREAUTH|KFE_USE_CLIENT,
-                                          b->etype.val, b->etype.len,
-                                          NULL, &ckey, &default_salt);
-                   if (ret2 == 0) {
-                       ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
-                                                     r->rep.padata, ckey, !default_salt);
-                       if (ret2 != 0)
-                           ret = ret2;
+                   if (!r->client->flags.locked_out) {
+                           ret2 = _kdc_find_etype(r, KFE_IS_PREAUTH|KFE_USE_CLIENT,
+                                                  b->etype.val, b->etype.len,
+                                                  NULL, &ckey, &default_salt);
+                           if (ret2 == 0) {
+                               ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
+                                                             r->rep.padata, ckey, !default_salt);
+                               if (ret2 != 0)
+                                   ret = ret2;
+                           }
                    }
                    goto out;
                }