On Thu, Oct 05, 2017 at 10:37:26AM +0200, Harald Barth wrote:
> I'm currently looking at why kinit can not give a decent error message
> on the easy fact that a credential has expired. Well, now with 7.4.0
> it handles "password expired" but "principal expired" still gives:
> kinit: krb5_get_init_creds: No ENC-TS found
> which is very broken from a user support group view. I tracked this
> down to the call in kinit.c line 673 which gets handled by the
> default: in the following switch(ret) with ret=-1765328383 Is that
> KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS
> found"?

Oh, yeah, that's lame.

> Questions:
> 1. How do I get the list of all KRB5KDC_ERR_* values and where are
> these defined? 

The *.et files define them.  KRB5KDC_ERR_* errors come from RFC4120 and
related RFCs, but in the source tree they are defined in *.et files.

> 2. What possible error values can come back from krb5_init_creds_get()
> and how to deal with them better?

We don't have an exhaustive list.  Does MIT?  But whatever the case,
these errors should always come with a user-meaningful error message.
So let's improve this.

> 3. Should the error handling and generation of the error string be in
> this switch() or should it be by some krb5_error_something function?

krb5_get_init_creds_*() should definitely set appropriate error
messages, however, kinit probably does need to remap them or add
additional text (mostly prefixes).


Reply via email to