kinit error message (Heimdal 7.4.0)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

kinit error message (Heimdal 7.4.0)

Harald Barth-2

I'm currently looking at why kinit can not give a decent error message
on the easy fact that a credential has expired. Well, now with 7.4.0
it handles "password expired" but "principal expired" still gives:

kinit: krb5_get_init_creds: No ENC-TS found

which is very broken from a user support group view. I tracked this
down to the call in kinit.c line 673 which gets handled by the
default: in the following switch(ret) with ret=-1765328383 Is that
KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS
found"?

----

    ret = krb5_init_creds_get(context, ctx);

#ifndef NO_NTLM
    if (ntlm_domain && passwd[0])
        heim_ntlm_nt_key(passwd, &ntlmkey);
#endif
    memset(passwd, 0, sizeof(passwd));

    switch(ret){
    case 0:
        break;
    case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
        exit(1);
    case KRB5KRB_AP_ERR_BAD_INTEGRITY:
    case KRB5KRB_AP_ERR_MODIFIED:
    case KRB5KDC_ERR_PREAUTH_FAILED:
    case KRB5_GET_IN_TKT_LOOP:
        krb5_warnx(context, N_("Password incorrect", ""));
        goto out;
    case KRB5KRB_AP_ERR_V4_REPLY:
        krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
        goto out;
    case KRB5KDC_ERR_KEY_EXPIRED:
        krb5_warnx(context, N_("Password expired", ""));
        goto out;
    default:
        krb5_warn(context, ret, "krb5_get_init_creds");
        goto out;
    }

---

Questions:

1. How do I get the list of all KRB5KDC_ERR_* values and where are
these defined?

2. What possible error values can come back from krb5_init_creds_get()
and how to deal with them better?

3. Should the error handling and generation of the error string be in
this switch() or should it be by some krb5_error_something function?

Harald.

Reply | Threaded
Open this post in threaded view
|

Re: kinit error message (Heimdal 7.4.0)

Nico Williams
On Thu, Oct 05, 2017 at 10:37:26AM +0200, Harald Barth wrote:

> I'm currently looking at why kinit can not give a decent error message
> on the easy fact that a credential has expired. Well, now with 7.4.0
> it handles "password expired" but "principal expired" still gives:
>
> kinit: krb5_get_init_creds: No ENC-TS found
>
> which is very broken from a user support group view. I tracked this
> down to the call in kinit.c line 673 which gets handled by the
> default: in the following switch(ret) with ret=-1765328383 Is that
> KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS
> found"?

Oh, yeah, that's lame.

> Questions:
>
> 1. How do I get the list of all KRB5KDC_ERR_* values and where are
> these defined?

The *.et files define them.  KRB5KDC_ERR_* errors come from RFC4120 and
related RFCs, but in the source tree they are defined in *.et files.

> 2. What possible error values can come back from krb5_init_creds_get()
> and how to deal with them better?

We don't have an exhaustive list.  Does MIT?  But whatever the case,
these errors should always come with a user-meaningful error message.
So let's improve this.

> 3. Should the error handling and generation of the error string be in
> this switch() or should it be by some krb5_error_something function?

krb5_get_init_creds_*() should definitely set appropriate error
messages, however, kinit probably does need to remap them or add
additional text (mostly prefixes).

Nico
--
Reply | Threaded
Open this post in threaded view
|

Re: kinit error message (Heimdal 7.4.0)

Nico Williams
In reply to this post by Harald Barth-2
On Thu, Oct 05, 2017 at 10:37:26AM +0200, Harald Barth wrote:
> I'm currently looking at why kinit can not give a decent error message
> on the easy fact that a credential has expired. Well, now with 7.4.0
> it handles "password expired" but "principal expired" still gives:

So, to reproduce just mark a principal as expired and try to kinit?