gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.

When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index cecd3166d32f28df310bd4f259cb6072f6cace8c..5582102c7dbdd9956d60724aa85cc277dc17bf0a 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -305,6 +305,7 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
                return NT_STATUS_INVALID_PARAMETER;
        case KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
                return NT_STATUS_INVALID_PARAMETER;
        case KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:

+       case KRB5KRB_AP_ERR_BAD_INTEGRITY:

                DEBUG(1, ("Wrong username or password: %s\n", error_string));
                return NT_STATUS_LOGON_FAILURE;
        case KRB5KDC_ERR_CLIENT_REVOKED:
                DEBUG(1, ("Wrong username or password: %s\n", error_string));
                return NT_STATUS_LOGON_FAILURE;
        case KRB5KDC_ERR_CLIENT_REVOKED: