return KDC_ERR_BADOPTION;
}
- /* The client's password must not be expired, unless the server is
- a KRB5_KDC_PWCHANGE_SERVICE. */
- if (client.pw_expiration && client.pw_expiration < kdc_time &&
- !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
- *status = "CLIENT KEY EXPIRED";
+ /* The client must not be expired */
+ if (client.expiration && client.expiration < kdc_time) {
+ *status = "CLIENT EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
- return(KDC_ERR_KEY_EXP);
+ return(KDC_ERR_NAME_EXP);
#endif
}
- /* The client must not be expired */
- if (client.expiration && client.expiration < kdc_time) {
- *status = "CLIENT EXPIRED";
+ /* The client's password must not be expired, unless the server is
+ a KRB5_KDC_PWCHANGE_SERVICE. */
+ if (client.pw_expiration && client.pw_expiration < kdc_time &&
+ !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
+ *status = "CLIENT KEY EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
- return(KDC_ERR_NAME_EXP);
+ return(KDC_ERR_KEY_EXP);
#endif
}
int errcode;
krb5_db_entry server = { 0 };
+ /* The client must not be expired */
+ if (client->expiration && client->expiration < kdc_time) {
+ *status = "CLIENT EXPIRED";
+ return KDC_ERR_NAME_EXP;
+ }
+
/* The client's password must not be expired, unless the server is
a KRB5_KDC_PWCHANGE_SERVICE. */
if (client->pw_expiration && client->pw_expiration < kdc_time) {
return KDC_ERR_KEY_EXP;
}
- /* The client must not be expired */
- if (client->expiration && client->expiration < kdc_time) {
- *status = "CLIENT EXPIRED";
- return KDC_ERR_NAME_EXP;
- }
-
/*
* If the client requires password changing, then return an
* error; S4U2Self cannot be used to change a password.