* krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
authorTom Yu <tlyu@mit.edu>
Thu, 15 Aug 2002 20:49:43 +0000 (20:49 +0000)
committerTom Yu <tlyu@mit.edu>
Thu, 15 Aug 2002 20:49:43 +0000 (20:49 +0000)
DISALLOW_SVR when looking up server key.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14728 dc483132-0cff-0310-8789-dd5450dbe970

src/krb524/ChangeLog
src/krb524/krb524d.c

index 4b86104e1e8c339e163af3fe47fa40d47cf262ed..0cb7947e5436dd8ce479de373f6a24797386f90d 100644 (file)
@@ -1,3 +1,8 @@
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+       * krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
+       DISALLOW_SVR when looking up server key.
+
 2002-07-24  Ezra Peisach  <epeisach@bu.edu>
 
        * krb524.h: Need to include port-sockets.h before socket-utils.h
index 4d55b88a23241c8c90ed2cfd3e67efedffb2667b..ad7c43978ecc8a1b1306d78e1e24dba0c8fda75e 100644 (file)
@@ -452,9 +452,15 @@ krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno)
     kadm5_principal_ent_rec server;
     
     if ((ret = kadm5_get_principal(handle, service, &server,
-                                  KADM5_KEY_DATA)))
+                                  KADM5_KEY_DATA|KADM5_ATTRIBUTES)))
         return ret;
 
+    if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX
+       || server.attributes & KRB5_KDB_DISALLOW_SVR) {
+       kadm5_free_principal_ent(handle, &server);
+       return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    }
+
     /*
      * We try kadm5_decrypt_key twice because in the case of a
      * ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type