/* * Unix SMB/CIFS implementation. * Kerberos error mapping functions * Copyright (C) Guenther Deschner 2005 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "smb_krb5.h" #ifdef HAVE_KRB5 static const struct { krb5_error_code krb5_code; NTSTATUS ntstatus; } krb5_to_nt_status_map[] = { {KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR}, {KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER}, {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED}, {KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, {KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE}, #if defined(KRB5KDC_ERR_KEY_EXP) /* MIT */ {KRB5KDC_ERR_KEY_EXP, NT_STATUS_PASSWORD_EXPIRED}, #else /* old Heimdal releases have it with different name only in an enum: */ {KRB5KDC_ERR_KEY_EXPIRED, NT_STATUS_PASSWORD_EXPIRED}, #endif {25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */ {KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE}, {KRB5KDC_ERR_POLICY, NT_STATUS_INVALID_WORKSTATION}, {KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE}, {KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED}, {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME}, {KRB5KDC_ERR_SUMTYPE_NOSUPP, NT_STATUS_LOGON_FAILURE}, {KRB5KDC_ERR_TGT_REVOKED, NT_STATUS_ACCESS_DENIED}, {KRB5_KDC_UNREACH, NT_STATUS_NO_LOGON_SERVERS}, {KRB5KRB_AP_ERR_BAD_INTEGRITY, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_AP_ERR_MODIFIED, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, {KRB5_KDCREP_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC}, {KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE}, {KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL}, #if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG) {KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE}, #endif {KRB5_CC_NOTFOUND, NT_STATUS_NO_SUCH_FILE}, {KRB5_FCC_NOFILE, NT_STATUS_NO_SUCH_FILE}, {KRB5_RC_MALLOC, NT_STATUS_NO_MEMORY}, {ENOMEM, NT_STATUS_NO_MEMORY}, {KRB5_REALM_CANT_RESOLVE, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND}, /* Must be last entry */ {KRB5KDC_ERR_NONE, NT_STATUS_OK} }; static const struct { NTSTATUS ntstatus; krb5_error_code krb5_code; } nt_status_to_krb5_map[] = { {NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED}, {NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH}, {NT_STATUS_OK, 0} }; /***************************************************************************** convert a KRB5 error to a NT status32 code *****************************************************************************/ NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error) { int i; if (kerberos_error == 0) { return NT_STATUS_OK; } for (i=0; NT_STATUS_V(krb5_to_nt_status_map[i].ntstatus); i++) { if (kerberos_error == krb5_to_nt_status_map[i].krb5_code) return krb5_to_nt_status_map[i].ntstatus; } return NT_STATUS_UNSUCCESSFUL; } /***************************************************************************** convert an NT status32 code to a KRB5 error *****************************************************************************/ krb5_error_code nt_status_to_krb5(NTSTATUS nt_status) { int i; if NT_STATUS_IS_OK(nt_status) { return 0; } for (i=0; NT_STATUS_V(nt_status_to_krb5_map[i].ntstatus); i++) { if (NT_STATUS_EQUAL(nt_status,nt_status_to_krb5_map[i].ntstatus)) return nt_status_to_krb5_map[i].krb5_code; } return KRB5KRB_ERR_GENERIC; } #endif