+2002-08-15 Tom Yu <tlyu@mit.edu>
+
+ * krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
+ DISALLOW_SVR when looking up server key.
+
2002-07-24 Ezra Peisach <epeisach@bu.edu>
* krb524.h: Need to include port-sockets.h before socket-utils.h
kadm5_principal_ent_rec server;
if ((ret = kadm5_get_principal(handle, service, &server,
- KADM5_KEY_DATA)))
+ KADM5_KEY_DATA|KADM5_ATTRIBUTES)))
return ret;
+ if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX
+ || server.attributes & KRB5_KDB_DISALLOW_SVR) {
+ kadm5_free_principal_ent(handle, &server);
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ }
+
/*
* We try kadm5_decrypt_key twice because in the case of a
* ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type