[PATCH] Improve password_hash.c error message with invalid krb5.conf

Alexander Bokovoy ab at samba.org
Tue Apr 10 06:14:56 UTC 2018


On ti, 10 huhti 2018, William Brown via samba-technical wrote:
> On Tue, 2018-04-10 at 17:23 +1200, Andrew Bartlett wrote:
> > On Tue, 2018-04-10 at 14:53 +1000, William Brown via samba-technical
> > wrote:
> > > This patch resolves the earlier issue I found where the ldb
> > > operations
> > > error did not clearly communicate the issue.
> > > 
> > > Thank you for your time,
> > > 
> > > William Brown
> > 
> > Thanks William,
> > 
> > Can you add a Signed-off-by per the copyright policy and contributing
> > page on the wiki?
> 
> > 
> > Also, keep the line lengths under 80 columns and (if any) avoid
> > trailing whitespace. 
> > 
> > I'll look at this more tomorrow, but it looks good so far!
> 
> Fixed both comments, see new patch attached,
> 
> Thank you!
> 
> > 
> > Andrew Bartlett
> > 

> From 96627ec115e00df9a61879cfcd52df4c97071682 Mon Sep 17 00:00:00 2001
> From: William Brown <william at blackhats.net.au>
> Date: Tue, 10 Apr 2018 14:51:06 +1000
> Subject: [PATCH] s4:ldb/password_hash.c: improve krb5 context error message
> 
> When heimdal encounters a MIT krb5.conf that it does not understand,
> it would emit an "ldb operations error". Sadly this does not help
> or communicate to the administrator the root cause of the issue.
> 
> Improve the error message for when krb init fails during password_hash.c
> 
> Signed-off-by: William Brown <william at blackhats.net.au>
> ---
>  source4/dsdb/samdb/ldb_modules/password_hash.c | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
> 
> diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
> index c872f20eb23..146fb6fa2c3 100644
> --- a/source4/dsdb/samdb/ldb_modules/password_hash.c
> +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
> @@ -3138,10 +3138,27 @@ static int setup_io(struct ph_context *ac,
>  		info_msg = client_msg;
>  	}
>  
> -	if (smb_krb5_init_context(ac,
> +	ret = smb_krb5_init_context(ac,
>  				  (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
> -				  &io->smb_krb5_context) != 0) {
> -		return ldb_operr(ldb);
> +				  &io->smb_krb5_context);
> +
> +	if (ret != 0) {
> +		/*
> +		 * In the special case of mit krb5.conf vs heimdal, the includedir
> +		 * statement causes ret == 22 (KRB5_CONFIG_BADFORMAT) to be returned.
> +		 * We look for this case so that we can give a more instructional
> +		 * message to the administrator.
> +		 */
> +		if (ret == KRB5_CONFIG_BADFORMAT || ret == EINVAL) {
> +			ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s - "
> +				"This could be due to an invalid krb5 configuration. "
> +				"Please check your system's krb5 configuration is correct.",
> +				error_message(ret));
> +		} else {
> +			ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s",
> +				error_message(ret));
> +		}
> +		return LDB_ERR_OPERATIONS_ERROR;
>  	}
>  
>  	io->ac				= ac;

RB+ by me.

-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list