From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/libads/krb5_errs.c | 132 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 source3/libads/krb5_errs.c (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c new file mode 100644 index 0000000000..cd227d4377 --- /dev/null +++ b/source3/libads/krb5_errs.c @@ -0,0 +1,132 @@ +/* + * Unix SMB/CIFS implementation. + * Kerberos error mapping functions + * Copyright (C) Guenther Deschner 2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +static const struct { + int krb5_code; + NTSTATUS ntstatus; +} krb5_to_nt_status_map[] = { + {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR}, + {KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER}, + {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED}, + {KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, + {KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE}, +#if defined(KRB5KDC_ERR_KEY_EXPIRED) /* Heimdal */ + {KRB5KDC_ERR_KEY_EXPIRED, NT_STATUS_PASSWORD_EXPIRED}, +#elif defined(KRB5KDC_ERR_KEY_EXP) /* MIT */ + {KRB5KDC_ERR_KEY_EXP, NT_STATUS_PASSWORD_EXPIRED}, +#else +#error Neither KRB5KDC_ERR_KEY_EXPIRED nor KRB5KDC_ERR_KEY_EXP available +#endif + {25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */ + {KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE}, + {KRB5KDC_ERR_POLICY, NT_STATUS_PASSWORD_RESTRICTION}, + {KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE}, + {KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED}, + {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, + {KRB5KDC_ERR_SUMTYPE_NOSUPP, NT_STATUS_LOGON_FAILURE}, + {KRB5KDC_ERR_TGT_REVOKED, NT_STATUS_ACCESS_DENIED}, + {KRB5_KDC_UNREACH, NT_STATUS_NO_LOGON_SERVERS}, + {KRB5KRB_AP_ERR_BAD_INTEGRITY, NT_STATUS_LOGON_FAILURE}, + {KRB5KRB_AP_ERR_MODIFIED, NT_STATUS_LOGON_FAILURE}, + {KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, + {KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE}, + {KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL}, + {KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE}, + {0, NT_STATUS_OK} +}; + +static const struct { + NTSTATUS ntstatus; + int krb5_code; +} nt_status_to_krb5_map[] = { + {NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED}, + {NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH}, + {NT_STATUS_OK, 0} +}; + +/***************************************************************************** +convert a KRB5 error to a NT status32 code + *****************************************************************************/ +NTSTATUS krb5_to_nt_status(int kerberos_error) +{ + int i; + + if (kerberos_error == 0) { + return NT_STATUS_OK; + } + + for (i=0; NT_STATUS_V(krb5_to_nt_status_map[i].ntstatus); i++) { + if (kerberos_error == krb5_to_nt_status_map[i].krb5_code) + return krb5_to_nt_status_map[i].ntstatus; + } + + return NT_STATUS_UNSUCCESSFUL; +} + +/***************************************************************************** +convert an NT status32 code to a KRB5 error + *****************************************************************************/ +int nt_status_to_krb5(NTSTATUS nt_status) +{ + int i; + + if NT_STATUS_IS_OK(nt_status) { + return 0; + } + + for (i=0; NT_STATUS_V(nt_status_to_krb5_map[i].ntstatus); i++) { + if (NT_STATUS_EQUAL(nt_status,nt_status_to_krb5_map[i].ntstatus)) + return nt_status_to_krb5_map[i].krb5_code; + } + + return KRB5KRB_ERR_GENERIC; +} + +#else + +/***************************************************************************** +convert a KRB5 error to a NT status32 code + *****************************************************************************/ +NTSTATUS krb5_to_nt_status(int kerberos_error) +{ + if (kerberos_error == 0) { + return NT_STATUS_OK; + } + + return NT_STATUS_UNSUCCESSFUL; +} + +/***************************************************************************** +convert an NT status32 code to a KRB5 error + *****************************************************************************/ +int nt_status_to_krb5(NTSTATUS nt_status) +{ + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) { + return 0; + } + return -1; /* FIXME: what to return here ? */ +} + +#endif + -- cgit From 3c892fdf4f5a33801762e3faa403d2ecb5c1b574 Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Tue, 21 Feb 2006 17:19:20 +0000 Subject: r13597: krb5 error codes are defined as long. (This used to be commit bab8c156a464c1beaa022e0026184e0de84c0bf9) --- source3/libads/krb5_errs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index cd227d4377..f926024b72 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -23,7 +23,7 @@ #ifdef HAVE_KRB5 static const struct { - int krb5_code; + long krb5_code; NTSTATUS ntstatus; } krb5_to_nt_status_map[] = { {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR}, -- cgit From 0eb50d9016d130217df3d56b9c666468f7cff58b Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Tue, 21 Feb 2006 17:48:20 +0000 Subject: r13599: krb5 error codes are defined as long. Also for the other direction. (This used to be commit 7b8ea1499124d1e1efe325339419a66ab8885b38) --- source3/libads/krb5_errs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index f926024b72..0277596436 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -58,7 +58,7 @@ static const struct { static const struct { NTSTATUS ntstatus; - int krb5_code; + long krb5_code; } nt_status_to_krb5_map[] = { {NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED}, {NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH}, -- cgit From e11a85eebd660073f3f68b7d6d289476e5193d28 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 9 Mar 2006 14:51:40 +0000 Subject: r14074: Some cleanup; there is no point in declaring and mapping KRB5KRB_ERR_RESPONSE_TOO_BIG when the krb5 library does not know about this. Guenther (This used to be commit 4a1a3c4808307e09fa8ff85da9a963a4a6f0e9ae) --- source3/libads/krb5_errs.c | 35 ++++++----------------------------- 1 file changed, 6 insertions(+), 29 deletions(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 0277596436..0c2e704702 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -23,7 +23,7 @@ #ifdef HAVE_KRB5 static const struct { - long krb5_code; + krb5_error_code krb5_code; NTSTATUS ntstatus; } krb5_to_nt_status_map[] = { {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR}, @@ -52,13 +52,15 @@ static const struct { {KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, {KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL}, +#if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG) {KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE}, +#endif {0, NT_STATUS_OK} }; static const struct { NTSTATUS ntstatus; - long krb5_code; + krb5_error_code krb5_code; } nt_status_to_krb5_map[] = { {NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED}, {NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH}, @@ -68,7 +70,7 @@ static const struct { /***************************************************************************** convert a KRB5 error to a NT status32 code *****************************************************************************/ -NTSTATUS krb5_to_nt_status(int kerberos_error) + NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error) { int i; @@ -87,7 +89,7 @@ NTSTATUS krb5_to_nt_status(int kerberos_error) /***************************************************************************** convert an NT status32 code to a KRB5 error *****************************************************************************/ -int nt_status_to_krb5(NTSTATUS nt_status) + krb5_error_code nt_status_to_krb5(NTSTATUS nt_status) { int i; @@ -103,30 +105,5 @@ int nt_status_to_krb5(NTSTATUS nt_status) return KRB5KRB_ERR_GENERIC; } -#else - -/***************************************************************************** -convert a KRB5 error to a NT status32 code - *****************************************************************************/ -NTSTATUS krb5_to_nt_status(int kerberos_error) -{ - if (kerberos_error == 0) { - return NT_STATUS_OK; - } - - return NT_STATUS_UNSUCCESSFUL; -} - -/***************************************************************************** -convert an NT status32 code to a KRB5 error - *****************************************************************************/ -int nt_status_to_krb5(NTSTATUS nt_status) -{ - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) { - return 0; - } - return -1; /* FIXME: what to return here ? */ -} - #endif -- cgit From 359aed77c938ff36143c2bdddd1ae0514cb29388 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 2 May 2006 11:54:18 +0000 Subject: r15392: In most cases, this mapping is more appropriate. (I know, it is still a mess, but there is no way the get NTSTATUS from the edata yet). Guenther (This used to be commit be2bd3945c057a4ad72251f809cffbe4694a7e3d) --- source3/libads/krb5_errs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 0c2e704702..e73482522b 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -40,7 +40,7 @@ static const struct { #endif {25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */ {KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE}, - {KRB5KDC_ERR_POLICY, NT_STATUS_PASSWORD_RESTRICTION}, + {KRB5KDC_ERR_POLICY, NT_STATUS_INVALID_WORKSTATION}, {KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE}, {KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED}, {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, -- cgit From 58247fea05a7420d8eafa0b8ea03944e9422cb6c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 22 Aug 2006 00:36:31 +0000 Subject: r17677: There is no need for a 2nd krb5_to_nt_status function, is there? Michael Adam/Volker, please check. Guenther (This used to be commit d0feb85781f69325ee70aff98370cfac037c4cc2) --- source3/libads/krb5_errs.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index e73482522b..38d34f8676 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -55,6 +55,7 @@ static const struct { #if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG) {KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE}, #endif + {KRB5KDC_ERR_NONE, NT_STATUS_OK}, {0, NT_STATUS_OK} }; -- cgit From 2d349000887670c1127d354e9ce2b53284caf7f9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 20 Dec 2006 10:54:09 +0000 Subject: r20273: Map KRB5_KDCREP_SKEW to NT_STATUS_TIME_DIFFERENCE_AT_DC. This gives much nicer error messages when failing to join due to clock skew. Guenther (This used to be commit 5c5a7611029ff1b630c53d4660578e188acf97f5) --- source3/libads/krb5_errs.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 38d34f8676..a4a3bd3adb 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -50,6 +50,7 @@ static const struct { {KRB5KRB_AP_ERR_BAD_INTEGRITY, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_AP_ERR_MODIFIED, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, + {KRB5_KDCREP_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, {KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL}, #if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG) -- cgit From f3a85fb152c0cb07ae1c096f06488f88c4c9d741 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 4 Jan 2007 23:41:16 +0000 Subject: r20536: In the offline PAM session close case the attempt to delete a non-existing krb5 credential cache should not generate an error. Guenther (This used to be commit 11c6f573af5c1d3387e60f3fc44b00e28cd87813) --- source3/libads/krb5_errs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index a4a3bd3adb..89cfc2d143 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -56,6 +56,8 @@ static const struct { #if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG) {KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE}, #endif + {KRB5_CC_NOTFOUND, NT_STATUS_NO_SUCH_FILE}, + {KRB5_FCC_NOFILE, NT_STATUS_NO_SUCH_FILE}, {KRB5KDC_ERR_NONE, NT_STATUS_OK}, {0, NT_STATUS_OK} }; -- cgit From edccfc91928c323f18febb7b90e41e0ddbfd8c7c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Mar 2007 19:18:18 +0000 Subject: r21845: Refactor the sessionsetupX code a little to allow us to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client when there's clock skew. Will help people debug this. Prepare us for being able to return the correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED" error with associated krb5 clock skew error to allow clients to re-sync time with us when we're eventually able to be a KDC. Jeremy. (This used to be commit c426340fc79a6b446033433b8de599130adffe28) --- source3/libads/krb5_errs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 89cfc2d143..c153bee96e 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -59,6 +59,8 @@ static const struct { {KRB5_CC_NOTFOUND, NT_STATUS_NO_SUCH_FILE}, {KRB5_FCC_NOFILE, NT_STATUS_NO_SUCH_FILE}, {KRB5KDC_ERR_NONE, NT_STATUS_OK}, + {KRB5_RC_MALLOC, NT_STATUS_NO_MEMORY}, + {ENOMEM, NT_STATUS_NO_MEMORY}, {0, NT_STATUS_OK} }; -- cgit From 8ff276fcb02111664c727178296590d97eb09319 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 6 May 2007 18:56:43 +0000 Subject: r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping (This used to be commit 2ab617fbbffbd6bf98ee02150f62b87a2610531f) --- source3/libads/krb5_errs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index c153bee96e..8216fefb64 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -58,10 +58,12 @@ static const struct { #endif {KRB5_CC_NOTFOUND, NT_STATUS_NO_SUCH_FILE}, {KRB5_FCC_NOFILE, NT_STATUS_NO_SUCH_FILE}, - {KRB5KDC_ERR_NONE, NT_STATUS_OK}, {KRB5_RC_MALLOC, NT_STATUS_NO_MEMORY}, {ENOMEM, NT_STATUS_NO_MEMORY}, - {0, NT_STATUS_OK} + {KRB5_REALM_CANT_RESOLVE, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND}, + + /* Must be last entry */ + {KRB5KDC_ERR_NONE, NT_STATUS_OK} }; static const struct { -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/libads/krb5_errs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 8216fefb64..0cc51830a7 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -5,7 +5,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/libads/krb5_errs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libads/krb5_errs.c') diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c index 0cc51830a7..53023cc75a 100644 --- a/source3/libads/krb5_errs.c +++ b/source3/libads/krb5_errs.c @@ -14,8 +14,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "includes.h" -- cgit