summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c5
-rw-r--r--source4/kdc/pac-glue.c21
2 files changed, 22 insertions, 4 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 9a17e581e3..bc5a45ae2b 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -510,9 +510,8 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
entry_ex->entry.valid_start = NULL;
- acct_expiry = samdb_result_nttime(msg, "accountExpires", (NTTIME)-1);
- if ((acct_expiry == (NTTIME)-1) ||
- (acct_expiry == 0x7FFFFFFFFFFFFFFFULL)) {
+ acct_expiry = samdb_result_account_expires(msg, 0);
+ if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
entry_ex->entry.valid_end = NULL;
} else {
entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index a99cf6ded8..66f36af870 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -276,9 +276,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
/* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */
- if (!NT_STATUS_IS_OK(nt_status)) {
+ /* TODO: Also need to add the appropriate e-data struct of type
+ * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows
+ * the information it needs to display the appropriate dialog. */
+
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
+ return KRB5KDC_ERR_KEY_EXPIRED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
+ return KRB5KDC_ERR_CLIENT_REVOKED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
+ return KRB5KDC_ERR_CLIENT_REVOKED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
+ return KRB5KDC_ERR_CLIENT_REVOKED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
+ return KRB5KDC_ERR_CLIENT_REVOKED;
+ else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
+ return KRB5KDC_ERR_POLICY;
+ else if (!NT_STATUS_IS_OK(nt_status)) {
return KRB5KDC_ERR_POLICY;
}
+
return 0;
}