|
 |
905b4d |
From 956dbefd49ce3cbf27539d8846a6d71462a3a927 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Date: Wed, 17 Dec 2014 09:42:57 +0100
|
|
|
905b4d |
Subject: [PATCH 5/7] krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
|
|
|
905b4d |
assumptions about the cause. If there are cases where
|
|
|
905b4d |
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
|
|
|
905b4d |
must be solved by other means.
|
|
|
905b4d |
|
|
|
905b4d |
Resolves https://fedorahosted.org/sssd/ticket/2535
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/krb5/krb5_child.c | 13 ++++++++++++-
|
|
|
905b4d |
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
index 64fe6f0cb19e831ed4b49f627cb3b3a124272943..e5ce50be4bb088df3c45e5f642e8b3f3608c4662 100644
|
|
|
905b4d |
--- a/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
@@ -1076,7 +1076,6 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
|
905b4d |
case KRB5_LIBOS_CANTREADPWD:
|
|
|
905b4d |
return ERR_NO_CREDS;
|
|
|
905b4d |
|
|
|
905b4d |
- case KRB5KRB_ERR_GENERIC:
|
|
|
905b4d |
case KRB5KRB_AP_ERR_SKEW:
|
|
|
905b4d |
case KRB5_KDC_UNREACH:
|
|
|
905b4d |
case KRB5_REALM_CANT_RESOLVE:
|
|
|
905b4d |
@@ -1099,6 +1098,18 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
|
905b4d |
case KRB5KDC_ERR_PREAUTH_FAILED:
|
|
|
905b4d |
return ERR_CREDS_INVALID;
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error
|
|
|
905b4d |
+ * code and we cannot make any assumptions about the reason for the error.
|
|
|
905b4d |
+ * As a consequence we cannot return a different error code than a generic
|
|
|
905b4d |
+ * one which unfortunately might result in a unspecific system error
|
|
|
905b4d |
+ * message to the user.
|
|
|
905b4d |
+ *
|
|
|
905b4d |
+ * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where
|
|
|
905b4d |
+ * SSSD should behave differently this has to be detected by different
|
|
|
905b4d |
+ * means, e.g. by evaluation error messages, and then the error code
|
|
|
905b4d |
+ * should be changed to a more suitable KRB5* error code or immediately to
|
|
|
905b4d |
+ * a SSSD ERR_* error code to avoid the default handling here. */
|
|
|
905b4d |
+ case KRB5KRB_ERR_GENERIC:
|
|
|
905b4d |
default:
|
|
|
905b4d |
return ERR_INTERNAL;
|
|
|
905b4d |
}
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|