#define V4_KDB_REQUIRES_PREAUTH 0x1
#define V4_KDB_DISALLOW_ALL_TIX 0x2
#define V4_KDB_REQUIRES_PWCHANGE 0x4
-
+#define V4_KDB_DISALLOW_SVR 0x8
/* v4 compatibitly mode switch */
#define KDC_V4_NONE 0 /* Don't even respond to packets */
if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
}
+ if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
+ principal->attributes |= V4_KDB_DISALLOW_SVR;
+ }
if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
}
return KERB_ERR_NAME_EXP;
}
+ if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+ lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: "
+ "\"%s\" \"%s\"", p_name, instance);
+ /* Not sure of a better error to return */
+ return KERB_ERR_NAME_EXP;
+ }
+
/*
* Does the principal require preauthentication?
*/
if (n == 0)
return (KFAILURE);
+ if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
+ lt = klog(L_ERR_SEXP,
+ "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r);
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+ return KFAILURE;
+ }
+
+ if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+ lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r);
+ krb5_free_keyblock_contents(kdc_context, &k5key);
+ return KFAILURE;
+ }
+
if (!K4KDC_ENCTYPE_OK(k5key.enctype)) {
krb_set_key_krb5(kdc_context, &k5key);
strncpy(lastrealm, r, sizeof(lastrealm) - 1);