gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
authorGünther Deschner <gd@samba.org>
Sat, 7 Feb 2015 09:48:30 +0000 (10:48 +0100)
committerGünther Deschner <gd@samba.org>
Fri, 27 Mar 2015 00:26:16 +0000 (01:26 +0100)
When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source4/auth/gensec/gensec_gssapi.c

index cecd3166d32f28df310bd4f259cb6072f6cace8c..5582102c7dbdd9956d60724aa85cc277dc17bf0a 100644 (file)
@@ -305,6 +305,7 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
                return NT_STATUS_INVALID_PARAMETER;
        case KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+       case KRB5KRB_AP_ERR_BAD_INTEGRITY:
                DEBUG(1, ("Wrong username or password: %s\n", error_string));
                return NT_STATUS_LOGON_FAILURE;
        case KRB5KDC_ERR_CLIENT_REVOKED: