diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-05-17 05:44:51 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:52:33 -0500 |
commit | 1a7b2513191fc1b29ccdbf23fca693b41a0d446a (patch) | |
tree | 8c7e79920e74951d7e62ecaa7cdd1c22febf6ab6 | |
parent | da9b4626bc1c91629e053c494ff4dbe753fa2144 (diff) | |
download | samba-1a7b2513191fc1b29ccdbf23fca693b41a0d446a.tar.gz samba-1a7b2513191fc1b29ccdbf23fca693b41a0d446a.tar.bz2 samba-1a7b2513191fc1b29ccdbf23fca693b41a0d446a.zip |
r22966: Make sure to return LOGON_FAILURE if the user's kerberos password is
incorrect.
Andrew Bartlett
(This used to be commit 9dc6f36e43170bc5bf4f94d893b5a3689460d237)
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 2 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 17 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 2 |
3 files changed, 15 insertions, 6 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 86e988e4cb..4dd5905480 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -347,6 +347,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi switch (ret) { case 0: break; + case KRB5KDC_ERR_PREAUTH_FAILED: + return NT_STATUS_LOGON_FAILURE; case KRB5_KDC_UNREACH: DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal)); return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 044c7df1de..b23d7f474c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -244,16 +244,23 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security gensec_krb5_state = gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; + principal = gensec_get_target_principal(gensec_security); + ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container); - if (ret) { - DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", - error_message(ret))); + switch (ret) { + case 0: + break; + case KRB5KDC_ERR_PREAUTH_FAILED: + return NT_STATUS_LOGON_FAILURE; + case KRB5_KDC_UNREACH: + DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal)); + return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ + default: + DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret))); return NT_STATUS_UNSUCCESSFUL; } - in_data.length = 0; - principal = gensec_get_target_principal(gensec_security); if (principal && lp_client_use_spnego_principal()) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 243f239d5d..79dc0ea6e7 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -528,7 +528,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ * support the first time. Lets keep this code to * reality */ - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } /** create a negTokenInit |