diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-02-25 16:16:33 +1100 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-02-26 13:59:16 +1100 |
| commit | 781ad038c96195031053291414a12225eb818fd9 (patch) | |
| tree | faf68b7deb844b69cb7463d6c7f689ecc7248971 /source4/auth/gensec | |
| parent | ad7223b9bd31f71b8af2ae83361d7e054a433cc5 (diff) | |
| download | samba-781ad038c96195031053291414a12225eb818fd9.tar.gz samba-781ad038c96195031053291414a12225eb818fd9.tar.bz2 samba-781ad038c96195031053291414a12225eb818fd9.zip | |
s4-krb5: propogate errors from a lot more kerberos functions
We need to be able to give sensible error messages when a kerberos
calls fails. This propogates the kerberos error up the stack to the
caller.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth/gensec')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 12 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 12 |
2 files changed, 15 insertions, 9 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 2759ab41c3..a50190f04c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -320,6 +320,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi const char *hostname = gensec_get_target_hostname(gensec_security); const char *principal; struct gssapi_creds_container *gcc; + const char *error_string; if (!hostname) { DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); @@ -368,17 +369,17 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi ret = cli_credentials_get_client_gss_creds(creds, gensec_security->event_ctx, - gensec_security->settings->lp_ctx, &gcc); + gensec_security->settings->lp_ctx, &gcc, &error_string); switch (ret) { case 0: break; case KRB5KDC_ERR_PREAUTH_FAILED: return NT_STATUS_LOGON_FAILURE; case KRB5_KDC_UNREACH: - DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal)); + DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", principal, error_string)); return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ default: - DEBUG(1, ("Aquiring initiator credentials failed\n")); + DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string)); return NT_STATUS_UNSUCCESSFUL; } @@ -1335,6 +1336,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n")); } else { krb5_error_code ret; + const char *error_string; + DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n")); session_info->credentials = cli_credentials_init(session_info); if (!session_info->credentials) { @@ -1350,9 +1353,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, - CRED_SPECIFIED); + CRED_SPECIFIED, &error_string); if (ret) { talloc_free(mem_ctx); + DEBUG(2,("Failed to get gss creds: %s\n", error_string)); return NT_STATUS_NO_MEMORY; } diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 46b8181de7..3d744770df 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -234,7 +234,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s NTSTATUS nt_status; struct ccache_container *ccache_container; const char *hostname; - + const char *error_string; const char *principal; krb5_data in_data; @@ -277,17 +277,17 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->event_ctx, - gensec_security->settings->lp_ctx, &ccache_container); + gensec_security->settings->lp_ctx, &ccache_container, &error_string); switch (ret) { case 0: break; case KRB5KDC_ERR_PREAUTH_FAILED: return NT_STATUS_LOGON_FAILURE; case KRB5_KDC_UNREACH: - DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal)); + DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string)); return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ default: - DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_message(ret))); + DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string)); return NT_STATUS_UNSUCCESSFUL; } in_data.length = 0; @@ -472,6 +472,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, uint8_t tok_id[2]; struct keytab_container *keytab; krb5_principal server_in_keytab; + const char *error_string; if (!in.data) { return NT_STATUS_INVALID_PARAMETER; @@ -488,9 +489,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* This ensures we lookup the correct entry in that keytab */ ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), gensec_krb5_state->smb_krb5_context, - &server_in_keytab); + &server_in_keytab, error_string); if (ret) { + DEBUG(2,("Failed to make credentials from principal: %s\n", error_string)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } |