From: Tom Yu <tlyu@mit.edu>
Date: Thu, 15 Aug 2002 20:49:43 +0000 (+0000)
Subject: 	* krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
X-Git-Tag: krb5-1.3-alpha1~500
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b019edf69c6a146fac5efeeb1a20dcece19d7280;p=krb5.git

	* krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
	DISALLOW_SVR when looking up server key.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14728 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 4b86104e1..0cb7947e5 100644
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,8 @@
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+	* krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
+	DISALLOW_SVR when looking up server key.
+
 2002-07-24  Ezra Peisach  <epeisach@bu.edu>
 
 	* krb524.h: Need to include port-sockets.h before socket-utils.h
diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c
index 4d55b88a2..ad7c43978 100644
--- a/src/krb524/krb524d.c
+++ b/src/krb524/krb524d.c
@@ -452,9 +452,15 @@ krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno)
     kadm5_principal_ent_rec server;
     
     if ((ret = kadm5_get_principal(handle, service, &server,
-				   KADM5_KEY_DATA)))
+				   KADM5_KEY_DATA|KADM5_ATTRIBUTES)))
 	 return ret;
 
+    if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX
+	|| server.attributes & KRB5_KDB_DISALLOW_SVR) {
+	kadm5_free_principal_ent(handle, &server);
+	return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    }
+
     /*
      * We try kadm5_decrypt_key twice because in the case of a
      * ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type