ipa-kdb: reject principals from disabled domains as a KDC policy

Fixes https://fedorahosted.org/freeipa/ticket/4788 Reviewed-By: Sumit Bose <sbose@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-12-10 14:59:38 +02:00 · 2014-12-10 14:59:38 +02:00 · 373a04870d
commit 373a04870d
parent 92c3a9f1fd
1 changed files with 1 additions and 1 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@ -1372,7 +1372,7 @@ static krb5_error_code filter_logon_info(krb5_context context,
                                   &domain->parent->sid_blacklist_incoming[k], true);
            if (result) {
                filter_logon_info_log_message(info->info->info3.base.domain_sid);
-                return EINVAL;
+                return KRB5KDC_ERR_POLICY;
            }
        }
    }