I'm currently looking at why kinit can not give a decent error message
on the easy fact that a credential has expired. Well, now with 7.4.0
it handles "password expired" but "principal expired" still gives:
kinit: krb5_get_init_creds: No ENC-TS found
which is very broken from a user support group view. I tracked this
down to the call in kinit.c line 673 which gets handled by the
default: in the following switch(ret) with ret=-1765328383 Is that
KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS
found"?
----
ret = krb5_init_creds_get(context, ctx);
#ifndef NO_NTLM
if (ntlm_domain && passwd[0])
heim_ntlm_nt_key(passwd, &ntlmkey);
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
krb5_warnx(context, N_("Password incorrect", ""));
goto out;
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
goto out;
case KRB5KDC_ERR_KEY_EXPIRED:
krb5_warnx(context, N_("Password expired", ""));
goto out;
default:
krb5_warn(context, ret, "krb5_get_init_creds");
goto out;
}
---
Questions:
1. How do I get the list of all KRB5KDC_ERR_* values and where are
these defined?
2. What possible error values can come back from krb5_init_creds_get()
and how to deal with them better?
3. Should the error handling and generation of the error string be in
this switch() or should it be by some krb5_error_something function?
Harald.
