svn commit: samba r22966 - in branches/SAMBA_4_0/source/auth/gensec: .

abartlet at samba.org abartlet at samba.org
Thu May 17 05:44:53 GMT 2007


Author: abartlet
Date: 2007-05-17 05:44:51 +0000 (Thu, 17 May 2007)
New Revision: 22966

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22966

Log:
Make sure to return LOGON_FAILURE if the user's kerberos password is
incorrect.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2007-05-17 05:44:51 UTC (rev 22966)
@@ -347,6 +347,8 @@
 	switch (ret) {
 	case 0:
 		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+		return NT_STATUS_LOGON_FAILURE;
 	case KRB5_KDC_UNREACH:
 		DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
 		return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */

Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c	2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c	2007-05-17 05:44:51 UTC (rev 22966)
@@ -244,16 +244,23 @@
 	gensec_krb5_state = gensec_security->private_data;
 	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
+	principal = gensec_get_target_principal(gensec_security);
+
 	ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
-	if (ret) {
-		DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", 
-			 error_message(ret)));
+	switch (ret) {
+	case 0:
+		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+		return NT_STATUS_LOGON_FAILURE;
+	case KRB5_KDC_UNREACH:
+		DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+		return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+	default:
+		DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret)));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
-
 	in_data.length = 0;
 	
-	principal = gensec_get_target_principal(gensec_security);
 	if (principal && lp_client_use_spnego_principal()) {
 		krb5_principal target_principal;
 		ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,

Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c	2007-05-17 03:42:28 UTC (rev 22965)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c	2007-05-17 05:44:51 UTC (rev 22966)
@@ -528,7 +528,7 @@
 	 * support the first time.  Lets keep this code to
 	 * reality */
 
-	return NT_STATUS_INVALID_PARAMETER;
+	return nt_status;
 }
 
 /** create a negTokenInit 



More information about the samba-cvs mailing list