mit-kdb: Do not allow to get a kadmin ticket as a client.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/mit-kdb/kdb_samba_policies.c

@@ -90,6 +90,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 		return KRB5_KDB_DBNOTINITED;
 	}
 
+	if (ks_is_kadmin(context, kdcreq->client)) {
+		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	}
+
 	if (krb5_princ_size(context, kdcreq->server) == 2 &&
 	    ks_is_kadmin_changepw(context, kdcreq->server)) {
 		code = krb5_get_default_realm(context, &realm);