CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()

If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.

Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/hdb-samba4.c

@@ -652,14 +652,21 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
 			 * well.  However before we do that, we need to pass
 			 * in the PAC here or re-calculate it.
 			 */
-			authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
-							 domain_dn, true, &send_to_sam);
-			if (kdc_db_ctx->rodc && send_to_sam != NULL) {
+			status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
+								  domain_dn, true, &send_to_sam);
+			if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+				final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+				r->error_code = final_ret;
+				rwdc_fallback = kdc_db_ctx->rodc;
+			} else if (!NT_STATUS_IS_OK(status)) {
+				final_ret = KRB5KRB_ERR_GENERIC;
+				r->error_code = final_ret;
+				rwdc_fallback = kdc_db_ctx->rodc;
+			} else if (kdc_db_ctx->rodc && send_to_sam != NULL) {
 				reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
 			}
 
 			/* This is the final sucess */
-			status = NT_STATUS_OK;
 		} else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
 			/*
 			 * This was only a pre-authentication success,