r22966: Make sure to return LOGON_FAILURE if the user's kerberos password is

author Andrew Bartlett <abartlet@samba.org>

Thu, 17 May 2007 05:44:51 +0000 (05:44 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 19:52:33 +0000 (14:52 -0500)
author Andrew Bartlett <abartlet@samba.org>
Thu, 17 May 2007 05:44:51 +0000 (05:44 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:52:33 +0000 (14:52 -0500)
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c

index 86e988e4cbfdef080a11f7910fd5595c76562ff2..4dd5905480f3a992b97b36f7f4a3cf8a62428e4b 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -347,6 +347,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
         switch (ret) {
         case 0:
                 break;
+       case KRB5KDC_ERR_PREAUTH_FAILED:
+               return NT_STATUS_LOGON_FAILURE;
         case KRB5_KDC_UNREACH:
                 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c

index 044c7df1de2497e3eacee032f38ae4d721ceff5d..b23d7f474c9d6f3bed6454ee9ddbb188f31f7ff2 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -244,16 +244,23 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
         gensec_krb5_state = gensec_security->private_data;
         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
  
+       principal = gensec_get_target_principal(gensec_security);
+
         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
-       if (ret) {
-               DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", 
-                        error_message(ret)));
+       switch (ret) {
+       case 0:
+               break;
+       case KRB5KDC_ERR_PREAUTH_FAILED:
+               return NT_STATUS_LOGON_FAILURE;
+       case KRB5_KDC_UNREACH:
+               DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+               return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+       default:
+               DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret)));
                 return NT_STATUS_UNSUCCESSFUL;
         }
-
         in_data.length = 0;
         
-       principal = gensec_get_target_principal(gensec_security);
         if (principal && lp_client_use_spnego_principal()) {
                 krb5_principal target_principal;
                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c

index 243f239d5d24db11e3ac7e03abf7f2f0afbd59ea..79dc0ea6e743da0c458b3e53d460b1aa2db61b42 100644 (file)
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -528,7 +528,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
          * support the first time.  Lets keep this code to
          * reality */
  
-       return NT_STATUS_INVALID_PARAMETER;
+       return nt_status;
  }
  
  /** create a negTokenInit
author	Andrew Bartlett <abartlet@samba.org>
	Thu, 17 May 2007 05:44:51 +0000 (05:44 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 19:52:33 +0000 (14:52 -0500)
source4/auth/gensec/gensec_gssapi.c		patch \| blob \| history
source4/auth/gensec/gensec_krb5.c		patch \| blob \| history
source4/auth/gensec/spnego.c		patch \| blob \| history