s3:libsmb: let cli_session_setup_kerberos_recv() return a useful error code

Forcing NT_STATUS_UNSUCCESSFUL is not a good idea, we should return
NT_STATUS_LOGON_FAILURE instead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2b1e2ecb8869126dca886435ad7c24fe7fdfa777..7a9e64834cb47945c4651593f3a127e52e1ad7c5 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1302,11 +1302,18 @@ static struct tevent_req *cli_session_setup_kerberos_send(
        rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg,
                                     &state->session_key_krb5, 0, NULL, NULL);
        if (rc) {
-               DEBUG(1, ("cli_session_setup_kerberos: "
-                         "spnego_gen_krb5_negTokenInit failed: %s\n",
-                         error_message(rc)));
+               NTSTATUS status;
+
                state->ads_status = ADS_ERROR_KRB5(rc);
-               tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+               status = ads_ntstatus(state->ads_status);
+               if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
+                       status = NT_STATUS_LOGON_FAILURE;
+                       state->ads_status = ADS_ERROR_NT(status);
+               }
+               DEBUG(1, ("cli_session_setup_kerberos: "
+                         "spnego_gen_krb5_negTokenInit failed: %s - %s\n",
+                         error_message(rc), nt_errstr(status)));
+               tevent_req_nterror(req, status);
                return tevent_req_post(req, ev);
        }
 
@@ -1384,9 +1391,18 @@ static ADS_STATUS cli_session_setup_kerberos_recv(struct tevent_req *req)
        NTSTATUS status;
 
        if (tevent_req_is_nterror(req, &status)) {
-               return ADS_ERROR_NT(status);
+               ADS_STATUS ads = state->ads_status;
+
+               if (!ADS_ERR_OK(state->ads_status)) {
+                       ads = state->ads_status;
+               } else {
+                       ads = ADS_ERROR_NT(status);
+               }
+               tevent_req_received(req);
+               return ads;
        }
-       return state->ads_status;
+       tevent_req_received(req);
+       return ADS_SUCCESS;
 }
 
 #endif /* HAVE_KRB5 */