From 1a7b2513191fc1b29ccdbf23fca693b41a0d446a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 17 May 2007 05:44:51 +0000
Subject: r22966: Make sure to return LOGON_FAILURE if the user's kerberos
 password is incorrect.

Andrew Bartlett
(This used to be commit 9dc6f36e43170bc5bf4f94d893b5a3689460d237)
---
 source4/auth/gensec/gensec_gssapi.c |  2 ++
 source4/auth/gensec/gensec_krb5.c   | 17 ++++++++++++-----
 source4/auth/gensec/spnego.c        |  2 +-
 3 files changed, 15 insertions(+), 6 deletions(-)

(limited to 'source4/auth/gensec')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 86e988e4cb..4dd5905480 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -347,6 +347,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	switch (ret) {
 	case 0:
 		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+		return NT_STATUS_LOGON_FAILURE;
 	case KRB5_KDC_UNREACH:
 		DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
 		return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 044c7df1de..b23d7f474c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -244,16 +244,23 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	gensec_krb5_state = gensec_security->private_data;
 	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
+	principal = gensec_get_target_principal(gensec_security);
+
 	ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
-	if (ret) {
-		DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", 
-			 error_message(ret)));
+	switch (ret) {
+	case 0:
+		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+		return NT_STATUS_LOGON_FAILURE;
+	case KRB5_KDC_UNREACH:
+		DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+		return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+	default:
+		DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret)));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
-
 	in_data.length = 0;
 	
-	principal = gensec_get_target_principal(gensec_security);
 	if (principal && lp_client_use_spnego_principal()) {
 		krb5_principal target_principal;
 		ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 243f239d5d..79dc0ea6e7 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -528,7 +528,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 	 * support the first time.  Lets keep this code to
 	 * reality */
 
-	return NT_STATUS_INVALID_PARAMETER;
+	return nt_status;
 }
 
 /** create a negTokenInit 
-- 
cgit