e3ffab
From 50b420b5f8ec1c4a6696b387ee5f3378dd0257bc Mon Sep 17 00:00:00 2001
e3ffab
From: Alexander Bokovoy <abokovoy@redhat.com>
e3ffab
Date: Wed, 10 Dec 2014 14:59:38 +0200
e3ffab
Subject: [PATCH] ipa-kdb: reject principals from disabled domains as a KDC
e3ffab
 policy
e3ffab
e3ffab
Fixes https://fedorahosted.org/freeipa/ticket/4788
e3ffab
---
e3ffab
 daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
e3ffab
 1 file changed, 1 insertion(+), 1 deletion(-)
e3ffab
e3ffab
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
e3ffab
index a4500070760e83994c8155a12ee6414b5ebee9e0..e3215db4ea11632dce8f039fc6b89c4a09acd87a 100644
e3ffab
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
e3ffab
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
e3ffab
@@ -1375,7 +1375,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
e3ffab
                                    &domain->parent->sid_blacklist_incoming[k], true);
e3ffab
             if (result) {
e3ffab
                 filter_logon_info_log_message(info->info->info3.base.domain_sid);
e3ffab
-                return EINVAL;
e3ffab
+                return KRB5KDC_ERR_POLICY;
e3ffab
             }
e3ffab
         }
e3ffab
     }
e3ffab
-- 
e3ffab
2.1.0
e3ffab