Well, I' making some progress.

The context I get when krb5_init_creds_get() returns is

$23 = {etypes = 0x0, cfg_etypes = 0x0, etypes_des = 0x0, as_etypes = 0x0, 
  tgs_etypes = 0x0, permitted_enctypes = 0x0, default_realms = 0x0, 
  max_skew = 300, kdc_timeout = 30, host_timeout = 3, max_retries = 3, 
  kdc_sec_offset = 0, kdc_usec_offset = 0, cf = 0x60bb40, et_list = 0x60a0c0, 
  warn_dest = 0x0, debug_dest = 0x0, cc_ops = 0x60ebe0, num_cc_ops = 6, 
  http_proxy = 0x0, time_fmt = 0x7ffff79abada "%Y-%m-%dT%H:%M:%S", 
  log_utc = 0, default_keytab = 0x7ffff79ab985 "FILE:/etc/krb5.keytab", 
  default_keytab_modify = 0x0, use_admin_kdc = 0, extra_addresses = 0x0, 
  scan_interfaces = 1, srv_lookup = 1, srv_try_txt = 0, fcache_vno = 0, 
  num_kt_types = 6, kt_types = 0x60ecd0, date_fmt = 0x7ffff79abaf8 "%Y-%m-%d", 
  error_string = 0x6112e0 "No ENC-TS found", error_code = -1765328383, 
(...)

And because the return code ret is the same as the error_code in the
context, krb5_get_error_message() just copies the string from the
context. However, if krb5_get_error_message() does its own lookup of
-1765328383 it gets "Client's entry in database has expired" which is
more like it. But where does "No ENC-TS found" come from and why is it
"better" than the own lookup?

Of course the error string printing function could return all text it
finds and leave the interpretation to the user. Like this, patch at
the end.

$ /usr/heimdal/bin/kinit 
haba/t...@nada.kth.se's Password: <correct password but principal expired>
kinit: krb5_get_init_creds: Client's entry in database has expired, No ENC-TS 
found


String operations i C are always fun.

Harald.


--- error_string.c.orig 2017-07-11 07:14:16.000000000 +0200
+++ error_string.c      2017-10-05 13:46:04.654728188 +0200
@@ -234,8 +234,8 @@
         }
        HEIMDAL_MUTEX_unlock(&context->mutex);
 
-        if (str)
-            return str;
+        /*if (str)
+         return str; return later*/
     }
     else
     {
@@ -249,10 +249,19 @@
     if (free_context)
         krb5_free_context(context);
 
-    if (cstr)
-        return strdup(cstr);
+    if (!cstr)
+       cstr = error_message(code);
+
+    if (str && !cstr)
+       return str;
 
-    cstr = error_message(code);
+    if (str && cstr)
+       if (strncmp(str, cstr, sizeof(buf)) == 0)
+           return str;
+       else
+           strncat(cstr, ", ", sizeof(buf));
+           return strdup(strncat(cstr, str, sizeof(buf)));
+
     if (cstr)
         return strdup(cstr);
 


Harald.

Reply via email to