On Thu, Oct 05, 2017 at 10:37:26AM +0200, Harald Barth wrote:
> I'm currently looking at why kinit can not give a decent error message
> on the easy fact that a credential has expired. Well, now with 7.4.0
> it handles "password expired" but "principal expired" still gives:
> kinit: krb5_get_init_creds: No ENC-TS found
> which is very broken from a user support group view. I tracked this
> down to the call in kinit.c line 673 which gets handled by the
> default: in the following switch(ret) with ret=-1765328383 Is that
> KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS
Oh, yeah, that's lame.
> 1. How do I get the list of all KRB5KDC_ERR_* values and where are
> these defined?
The *.et files define them. KRB5KDC_ERR_* errors come from RFC4120 and
related RFCs, but in the source tree they are defined in *.et files.
> 2. What possible error values can come back from krb5_init_creds_get()
> and how to deal with them better?
We don't have an exhaustive list. Does MIT? But whatever the case,
these errors should always come with a user-meaningful error message.
So let's improve this.
> 3. Should the error handling and generation of the error string be in
> this switch() or should it be by some krb5_error_something function?
krb5_get_init_creds_*() should definitely set appropriate error
messages, however, kinit probably does need to remap them or add
additional text (mostly prefixes).