diff options
author | Sumit Bose <sbose@redhat.com> | 2014-12-17 09:42:57 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-13 20:58:58 +0100 |
commit | c1d19e527329643fb291e86484fbd34a587c4073 (patch) | |
tree | b618dd874feef1f918c28f93d8932fb88af1e45b /src/providers | |
parent | d27e7cdb0a10c8130f290983a68870ad291f8832 (diff) | |
download | sssd-c1d19e527329643fb291e86484fbd34a587c4073.tar.gz sssd-c1d19e527329643fb291e86484fbd34a587c4073.tar.xz sssd-c1d19e527329643fb291e86484fbd34a587c4073.zip |
krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
assumptions about the cause. If there are cases where
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
must be solved by other means.
Resolves https://fedorahosted.org/sssd/ticket/2535
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 4f8e46e60..9645f1aef 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1072,7 +1072,6 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5_LIBOS_CANTREADPWD: return ERR_NO_CREDS; - case KRB5KRB_ERR_GENERIC: case KRB5KRB_AP_ERR_SKEW: case KRB5_KDC_UNREACH: case KRB5_REALM_CANT_RESOLVE: @@ -1095,6 +1094,18 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5KDC_ERR_PREAUTH_FAILED: return ERR_CREDS_INVALID; + /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error + * code and we cannot make any assumptions about the reason for the error. + * As a consequence we cannot return a different error code than a generic + * one which unfortunately might result in a unspecific system error + * message to the user. + * + * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where + * SSSD should behave differently this has to be detected by different + * means, e.g. by evaluation error messages, and then the error code + * should be changed to a more suitable KRB5* error code or immediately to + * a SSSD ERR_* error code to avoid the default handling here. */ + case KRB5KRB_ERR_GENERIC: default: return ERR_INTERNAL; } |