git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Thu, 24 May 2012 17:03:26 +0000 (13:03 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 24 May 2012 17:05:52 +0000 (13:05 -0400)
commit	33a64a7f9dc7342880f7a477a8b3447891d20af5
tree	d1ef424e3b0a5de1136820ea2a9dfd2a8d95bfa4	tree \| snapshot
parent	372b3e2a4f3bd9d1b2e05abec4c04b99962e582f	commit \| diff

Fix S4U user identification in preauth case

In 1.10, encrypted timestamp became a built-in module instead of a
hardcoded padata handler.  This changed the behavior of
krb5_get_init_creds as invoked by s4u_identify_user such that
KRB5_PREAUTH_FAILED is returned instead of the gak function's error.
(Module failures are not treated as hard errors, while hardcoded
padata handler errors are.)  Accordingly, we should look for
KRB5_PREAUTH_FAILED in s4u_identify_user.

On a less harmful note, the gak function was returning a protocol
error code instead of a com_err code, and the caller was testing for a
different protocol error code (KDC_ERR_PREAUTH_REQUIRED) which could
never be returned by krb5_get_init_creds.  Clean up both of those by
returning KRB5_PREAUTH_FAILED from the gak function and testing for
that alone.

Reported by Michael Morony.

ticket: 7136
target_version: 1.10.2
tags: pullup