Enhance mappings of NTSTATUS to KRB5KDC errors.

The enhanced mappings allow the Windows client to determine whether a user's
password needs to be changed (and allows them to change it), or if they cannot
logon at all.

Changes still need to be made to allow additional data to be returned.  Windows
uses that additional data to display more detailed dialogs to the user.  The
additional information is returned in an e-data struct of type PA-PW-SALT that
contains the more-detailed NTSTATUS error code.
(This used to be commit 6a98e5a7aa0cdbb61358901df50162b5b914ee5c)

1 files changed, 20 insertions, 1 deletions

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index a99cf6ded8..66f36af870 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -276,9 +276,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
 
 	/* TODO:  Need a more complete mapping of NTSTATUS to krb5kdc errors */
 
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	/* TODO:  Also need to add the appropriate e-data struct of type
+	 * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows
+	 * the information it needs to display the appropriate dialog. */
+
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
+		return KRB5KDC_ERR_KEY_EXPIRED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
+		return KRB5KDC_ERR_CLIENT_REVOKED;
+	else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
+		return KRB5KDC_ERR_POLICY;
+	else if (!NT_STATUS_IS_OK(nt_status)) {
 		return KRB5KDC_ERR_POLICY;
 	}
+
 	return 0;
 }