diff options
author | Andreas Schneider <asn@samba.org> | 2014-08-06 15:32:13 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-03-17 04:32:28 +0100 |
commit | 742b4c3da8343474d958426e1f8b61faf6938645 (patch) | |
tree | b7a9dc6921cff8a041995f2164b199b17d62c5d4 | |
parent | e13e9c54f5956c86a05693e08aab5223b02b5211 (diff) | |
download | samba-742b4c3da8343474d958426e1f8b61faf6938645.tar.gz |
mit-kdb: Do not allow to get a kadmin ticket as a client.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba_policies.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 7f9ab070617..17fb984a794 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -90,6 +90,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, return KRB5_KDB_DBNOTINITED; } + if (ks_is_kadmin(context, kdcreq->client)) { + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } + if (krb5_princ_size(context, kdcreq->server) == 2 && ks_is_kadmin_changepw(context, kdcreq->server)) { code = krb5_get_default_realm(context, &realm); |