Align locked out account behaviour with Windows

Windows does not check the password on an account that has been locked.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 7f780da3a0659eb34bef57e0260966c4ecce24dc..75a90c41527f1978d0e8821eb3283db984fa1675 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -518,6 +518,14 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
        return ret;
     }
 
+    if (r->client->entry.flags.locked_out) {
+       ret = KRB5KDC_ERR_CLIENT_REVOKED;
+       kdc_log(r->context, r->config, 0,
+               "Client (%s) is locked out", r->client_name);
+       return ret;
+    }
+
+
     ret = decode_EncryptedData(pa->padata_value.data,
                               pa->padata_value.length,
                               &enc_data,
@@ -659,7 +667,14 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     size_t len;
     Key *pa_key;
     char *str;
-       
+
+    if (r->client->entry.flags.locked_out) {
+       ret = KRB5KDC_ERR_CLIENT_REVOKED;
+       kdc_log(r->context, r->config, 0,
+               "Client (%s) is locked out", r->client_name);
+       return ret;
+    }
+
     ret = decode_EncryptedData(pa->padata_value.data,
                               pa->padata_value.length,
                               &enc_data,