Fix error code on clpreauth module failure

Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows
better error reporting for some client pre-authentication failures.
However, it breaks an assumption in the S4U2Self code that such errors
can be recognized by the KRB5_PREAUTH_FAILED error code.  Instead of
passing through the error code reported by the first real preauth
module, wrap that error and return KRB5_PREAUTH_FAILED.

ticket: 8457 (new)
target_version: 1.14-next
target_version: 1.13-next

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 783bb3154ddbb145744ab5034a47a8942e6304b0..ca26fb0e3fa5c8163b249ad2b2d4f036f9d1d25e 100644 (file)
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -638,8 +638,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
 
     if (must_preauth) {
         /* No real preauth types succeeded and we needed to preauthenticate. */
-        ret = (save.code != 0) ? k5_restore_ctx_error(context, &save) :
-            KRB5_PREAUTH_FAILED;
+        if (save.code != 0) {
+            ret = k5_restore_ctx_error(context, &save);
+            k5_wrapmsg(context, ret, KRB5_PREAUTH_FAILED,
+                       _("Pre-authentication failed"));
+        }
+        ret = KRB5_PREAUTH_FAILED;
     }
 
 cleanup: