mit-kdb: Do not allow to get a kadmin ticket as a client.

Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Andreas Schneider <asn@samba.org> 2014-08-06 15:32:13 +0200
committer: Andrew Bartlett <abartlet@samba.org> 2016-03-17 04:32:28 +0100
commit: 742b4c3da8343474d958426e1f8b61faf6938645 (patch)
tree: b7a9dc6921cff8a041995f2164b199b17d62c5d4 /source4/kdc
parent: e13e9c54f5956c86a05693e08aab5223b02b5211 (diff)
download: samba-742b4c3da8343474d958426e1f8b61faf6938645.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 7f9ab070617..17fb984a794 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -90,6 +90,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		return KRB5_KDB_DBNOTINITED;
 	}
 
+	if (ks_is_kadmin(context, kdcreq->client)) {
+		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	}
+
 	if (krb5_princ_size(context, kdcreq->server) == 2 &&
 	    ks_is_kadmin_changepw(context, kdcreq->server)) {
 		code = krb5_get_default_realm(context, &realm);
author	Andreas Schneider <asn@samba.org>	2014-08-06 15:32:13 +0200
committer	Andrew Bartlett <abartlet@samba.org>	2016-03-17 04:32:28 +0100
commit	742b4c3da8343474d958426e1f8b61faf6938645 (patch)
tree	b7a9dc6921cff8a041995f2164b199b17d62c5d4 /source4/kdc
parent	e13e9c54f5956c86a05693e08aab5223b02b5211 (diff)
download	samba-742b4c3da8343474d958426e1f8b61faf6938645.tar.gz