From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 10 Aug 2023 22:02:28 +0000 (+1200)
Subject: s4:kdc: Return (possibly) more appropriate error codes
X-Git-Tag: tevent-0.16.0~986
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e67c0226183a9ef95ecb8ec8399f54650630806e;p=thirdparty%2Fsamba.git

s4:kdc: Return (possibly) more appropriate error codes

This change ultimately won’t make much difference to responses, as
unrecognized codes are mapped to ERR_GENERIC in any case. But it might
provide some help for debugging.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 94b2065fe5f..839bc8d840b 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -772,7 +772,7 @@ int samba_client_requested_pac(krb5_context context,
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
 		DBG_ERR("can't parse the PAC ATTRIBUTES_INFO: %s\n", nt_errstr(nt_status));
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	if (pac_attrs.attributes_info.flags & (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
@@ -819,7 +819,7 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
 
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(mem_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(status);
 	}
 
 	rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
@@ -1272,7 +1272,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
 			DBG_ERR("authsam_update_user_info_dc failed: %s\n",
 				nt_errstr(nt_status));
 
-			ret = EINVAL;
+			ret = map_errno_from_nt_status(nt_status);
 			goto out;
 		}
 	} else {
@@ -1497,7 +1497,7 @@ static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
 		nt_status = ndr_map_error2ntstatus(ndr_err);
 		DBG_ERR("can't parse the PAC REQUESTER_SID: %s\n", nt_errstr(nt_status));
 		talloc_free(tmp_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	*sid = info.requester_sid.sid;
@@ -1785,7 +1785,7 @@ static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
 					   &domain_group->domain_sid,
 					   &rid);
 		if (!NT_STATUS_IS_OK(status)) {
-			return EINVAL;
+			return map_errno_from_nt_status(status);
 		}
 	} else {
 		status = dom_sid_split_rid(NULL,
@@ -1793,7 +1793,7 @@ static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
 					   NULL,
 					   &rid);
 		if (!NT_STATUS_IS_OK(status)) {
-			return EINVAL;
+			return map_errno_from_nt_status(status);
 		}
 	}
 
@@ -1902,7 +1902,7 @@ static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
 							  true, /* This user was authenticated */
 							  &device_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	num_existing_sids = device_info_dc->num_sids;
@@ -1915,7 +1915,7 @@ static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
 						samdb,
 						device_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	for (i = num_existing_sids; i < device_info_dc->num_sids; ++i) {
@@ -1953,7 +1953,7 @@ static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx,
 		NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
 		DBG_WARNING("PAC_DEVICE_INFO (presig) push failed: %s\n",
 			    nt_errstr(nt_status));
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	return 0;
@@ -2002,7 +2002,7 @@ static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx,
 		DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
 			nt_errstr(nt_status));
 		talloc_free(frame);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	/*
@@ -2463,7 +2463,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
 					nt_errstr(nt_status));
-				code = EINVAL;
+				code = map_errno_from_nt_status(nt_status);
 				goto done;
 			}
 
@@ -2494,7 +2494,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("update delegation info blob failed: %s\n",
 				nt_errstr(nt_status));
-			code = EINVAL;
+			code = map_errno_from_nt_status(nt_status);
 			goto done;
 		}
 	}
@@ -2587,7 +2587,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			DBG_ERR("samba_get_logon_info_pac_blob failed: %s\n",
 				nt_errstr(nt_status));
 
-			code = EINVAL;
+			code = map_errno_from_nt_status(nt_status);
 			goto done;
 		}
 
@@ -2637,7 +2637,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
 				nt_errstr(nt_status));
-			code = EINVAL;
+			code = map_errno_from_nt_status(nt_status);
 			goto done;
 		}
 	}
@@ -2952,7 +2952,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 								  true, /* This user was authenticated */
 								  &device_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {
-			code = EINVAL;
+			code = map_errno_from_nt_status(nt_status);
 			goto out;
 		}
 
@@ -2964,7 +2964,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 							samdb,
 							device_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {
-			code = EINVAL;
+			code = map_errno_from_nt_status(nt_status);
 			goto out;
 		}
 	} else {
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 695ef6a3bf9..96d67e639f4 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -153,7 +153,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	/*
@@ -196,7 +196,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 						  &logon_blob);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	if (cred_ndr_ptr != NULL) {
@@ -205,7 +205,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 							cred_ndr_ptr);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
-			return EINVAL;
+			return map_errno_from_nt_status(nt_status);
 		}
 	}
 
@@ -214,7 +214,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 						&upn_blob);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	if (is_krbtgt) {
@@ -223,7 +223,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 							 &pac_attrs_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
-			return EINVAL;
+			return map_errno_from_nt_status(nt_status);
 		}
 
 		nt_status = samba_kdc_get_requester_sid_blob(mem_ctx,
@@ -231,7 +231,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 							     &requester_sid_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
-			return EINVAL;
+			return map_errno_from_nt_status(nt_status);
 		}
 	}
 
@@ -240,7 +240,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 					      &client_claims_blob);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
-		return EINVAL;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	if (pk_reply_key != NULL && cred_ndr != NULL) {