s4:kdc: handle passwords from the history in hdb_samba4_auth_status()

This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 90e52f60cef58ef0af17457b9d2f76485817a4f8..c176a84eb5b978c9dfcb7ddef8565b61d9d29384 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -846,6 +846,17 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                                status = NT_STATUS_WRONG_PASSWORD;
                        }
                        rwdc_fallback = kdc_db_ctx->rodc;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) {
+                       /*
+                        * The pre-authentication succeeds with a password
+                        * from the password history, so we don't
+                        * update the badPwdCount, but still return
+                        * PREAUTH_FAILED and need to forward to
+                        * a RWDC in order to produce an autoritative
+                        * response for the client.
+                        */
+                       status = NT_STATUS_WRONG_PASSWORD;
+                       rwdc_fallback = kdc_db_ctx->rodc;
                } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
                        edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT;
                        rwdc_fallback = kdc_db_ctx->rodc;