55 lines
2.2 KiB
Diff
55 lines
2.2 KiB
Diff
From 05e9fd3773a886424610adca97eba1ad86e72daf Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 17 Dec 2014 09:42:57 +0100
|
|
Subject: [PATCH 21/26] krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
|
|
assumptions about the cause. If there are cases where
|
|
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
|
|
must be solved by other means.
|
|
|
|
Resolves https://fedorahosted.org/sssd/ticket/2535
|
|
|
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
---
|
|
src/providers/krb5/krb5_child.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
index 3234a4e6c740db5e05f7db8eb7f4ea0cc126e7ce..533e4139fee2abd9a0b8f939522a0819d91426ff 100644
|
|
--- a/src/providers/krb5/krb5_child.c
|
|
+++ b/src/providers/krb5/krb5_child.c
|
|
@@ -1049,7 +1049,6 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
case KRB5_LIBOS_CANTREADPWD:
|
|
return ERR_NO_CREDS;
|
|
|
|
- case KRB5KRB_ERR_GENERIC:
|
|
case KRB5KRB_AP_ERR_SKEW:
|
|
case KRB5_KDC_UNREACH:
|
|
case KRB5_REALM_CANT_RESOLVE:
|
|
@@ -1072,6 +1071,18 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
case KRB5KDC_ERR_PREAUTH_FAILED:
|
|
return ERR_CREDS_INVALID;
|
|
|
|
+ /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error
|
|
+ * code and we cannot make any assumptions about the reason for the error.
|
|
+ * As a consequence we cannot return a different error code than a generic
|
|
+ * one which unfortunately might result in a unspecific system error
|
|
+ * message to the user.
|
|
+ *
|
|
+ * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where
|
|
+ * SSSD should behave differently this has to be detected by different
|
|
+ * means, e.g. by evaluation error messages, and then the error code
|
|
+ * should be changed to a more suitable KRB5* error code or immediately to
|
|
+ * a SSSD ERR_* error code to avoid the default handling here. */
|
|
+ case KRB5KRB_ERR_GENERIC:
|
|
default:
|
|
return ERR_INTERNAL;
|
|
}
|
|
--
|
|
2.1.0
|
|
|