From: Greg Hudson Date: Tue, 19 Jul 2016 14:52:06 +0000 (-0400) Subject: Fix error code on clpreauth module failure X-Git-Tag: krb5-1.15-beta1~148 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=560e11dabb63b141df29c54aaa2e120309a1e021;p=thirdparty%2Fkrb5.git Fix error code on clpreauth module failure Commit 632260bd1fccfb420f0827b59c85c329203eafc9 (ticket #7517) allows better error reporting for some client pre-authentication failures. However, it breaks an assumption in the S4U2Self code that such errors can be recognized by the KRB5_PREAUTH_FAILED error code. Instead of passing through the error code reported by the first real preauth module, wrap that error and return KRB5_PREAUTH_FAILED. ticket: 8457 (new) target_version: 1.14-next target_version: 1.13-next --- diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 783bb3154d..ca26fb0e3f 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -638,8 +638,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, if (must_preauth) { /* No real preauth types succeeded and we needed to preauthenticate. */ - ret = (save.code != 0) ? k5_restore_ctx_error(context, &save) : - KRB5_PREAUTH_FAILED; + if (save.code != 0) { + ret = k5_restore_ctx_error(context, &save); + k5_wrapmsg(context, ret, KRB5_PREAUTH_FAILED, + _("Pre-authentication failed")); + } + ret = KRB5_PREAUTH_FAILED; } cleanup: