krb5_get_init_creds_password does not consistently prompt for password changing

 	krb5_get_init_creds_password() previously did not consistently
	handle KRB5KDC_ERR_KEY_EXP errors.  If there is a "master_kdc" 
 	entry for the realm and the KDC is reachable, then the function 
	will prompt the user for a password change.  Otherwise, it will
	return the error code to the caller.  If the caller is a ticket 
	manager, it will prompt the user for a password change with a
	dialog that is different from the one generated by the prompter
	function passed to krb5_get_init_creds_password.

	With this change krb5_get_init_creds_password() will always 
	prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
	the function is compiled with USE_LOGIN_LIBRARY.  (KFM)

ticket: new
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18764 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 4 insertions, 6 deletions

diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index f2837effb..ef9a6b354 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -163,12 +163,10 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ
       /* if the master is unreachable, return the error from the
 	 slave we were able to contact */
 
-      if ((ret2 == KRB5_KDC_UNREACH) ||
-	  (ret2 == KRB5_REALM_CANT_RESOLVE) ||
-	  (ret2 == KRB5_REALM_UNKNOWN))
-	 goto cleanup;
-
-      ret = ret2;
+       if ((ret2 != KRB5_KDC_UNREACH) &&
+	    (ret2 != KRB5_REALM_CANT_RESOLVE) &&
+	    (ret2 != KRB5_REALM_UNKNOWN))
+	   ret = ret2;
    }
 
 #ifdef USE_LOGIN_LIBRARY