kdc: Return NEVER_VALID error code if ticket will never be valid

This matches the error generated by Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index b10e125af339bf4d9ba50dc5be1ed8eb27772f5a..416fd29f553689f8d2ee34cda35345e22d2b089b 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2576,6 +2576,13 @@ _kdc_as_rep(astgs_request_t r)
        t = min(t, rk_time_add(start, realm->max_life));
 #endif
        r->et.endtime = t;
+
+       if (start > r->et.endtime) {
+           _kdc_set_e_text(r, "Requested effective lifetime is negative or too short");
+           ret = KRB5KDC_ERR_NEVER_VALID;
+           goto out;
+       }
+
        if(f.renewable_ok && r->et.endtime < *b->till){
            f.renewable = 1;
            if(b->rtime == NULL){