svn commit: samba r22966 - in
branches/SAMBA_4_0/source/auth/gensec: .
abartlet at samba.org
abartlet at samba.org
Thu May 17 05:44:53 GMT 2007
Author: abartlet
Date: 2007-05-17 05:44:51 +0000 (Thu, 17 May 2007)
New Revision: 22966
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22966
Log:
Make sure to return LOGON_FAILURE if the user's kerberos password is
incorrect.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
branches/SAMBA_4_0/source/auth/gensec/spnego.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2007-05-17 05:44:51 UTC (rev 22966)
@@ -347,6 +347,8 @@
switch (ret) {
case 0:
break;
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ return NT_STATUS_LOGON_FAILURE;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2007-05-17 05:44:51 UTC (rev 22966)
@@ -244,16 +244,23 @@
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+ principal = gensec_get_target_principal(gensec_security);
+
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n",
- error_message(ret)));
+ switch (ret) {
+ case 0:
+ break;
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ return NT_STATUS_LOGON_FAILURE;
+ case KRB5_KDC_UNREACH:
+ DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+ return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+ default:
+ DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret)));
return NT_STATUS_UNSUCCESSFUL;
}
-
in_data.length = 0;
- principal = gensec_get_target_principal(gensec_security);
if (principal && lp_client_use_spnego_principal()) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c 2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c 2007-05-17 05:44:51 UTC (rev 22966)
@@ -528,7 +528,7 @@
* support the first time. Lets keep this code to
* reality */
- return NT_STATUS_INVALID_PARAMETER;
+ return nt_status;
}
/** create a negTokenInit
More information about the samba-cvs
mailing list