kerberos auth account restrictions
Jeremy Allison
jra at samba.org
Wed Jun 13 18:06:49 GMT 2007
On Wed, Jun 13, 2007 at 11:04:03AM -0700, James Peach wrote:
> hi all,
>
> In check_sam_security(), we check whether the account is locked out
> like this:
>
> /* see if autolock flag needs to be updated */
> if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
> pdb_update_autolock_flag(sampass, &updated_autolock);
> /* Quit if the account was locked out. */
> if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
> DEBUG(3,("check_sam_security: Account for user %s was locked
> out.\n", pdb_get_username(sampass)));
> return NT_STATUS_ACCOUNT_LOCKED_OUT;
> }
>
> Is there a good reason that we don't do this for Kerberos auth in
> reply_spnego_kerberos()?
I think the KDC does this, not the server. Once it's got a ticket
from the KDC I think we assume that this isn't the case.
Jeremy.
More information about the samba-technical
mailing list