CVE-2021-20251 s4:kdc: Check badPwdCount update return status

If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bdfc9d96f8fe5070ab8a189bbf42ccb7e77afb73)

[jsutton@samba.org Fixed knownfail conflicts due to not having claims
 tests]

selftest/knownfail_heimdal_kdc

@@ -54,7 +54,3 @@
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
 #
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
-#
-# Lockout tests
-#
-^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local

source4/kdc/hdb-samba4.c

@@ -703,8 +703,13 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
 			status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
-			authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
-			status = NT_STATUS_WRONG_PASSWORD;
+			status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
+			if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+				final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+				r->error_code = final_ret;
+			} else {
+				status = NT_STATUS_WRONG_PASSWORD;
+			}
 			rwdc_fallback = kdc_db_ctx->rodc;
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
 			status = NT_STATUS_ACCOUNT_LOCKED_OUT;