krb5 commit: Use k5_setmsg

Greg Hudson ghudson at MIT.EDU
Thu Jun 5 11:34:34 EDT 2014


https://github.com/krb5/krb5/commit/a7b5808b5df9e54ef8a8a7ac24e5faad458ddbce
commit a7b5808b5df9e54ef8a8a7ac24e5faad458ddbce
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat May 24 12:15:32 2014 -0400

    Use k5_setmsg
    
    Replace most calls to krb5_set_error_message with k5_setmsg for
    brevity.  Leave alone plugin sources where we don't include k5-int.h
    (mostly PKINIT).

 src/kdc/fast_util.c                                |   40 ++++-----
 src/kdc/kdc_preauth_ec.c                           |   10 +--
 src/kdc/kdc_util.c                                 |    4 +-
 src/lib/gssapi/krb5/acquire_cred.c                 |    5 +-
 src/lib/gssapi/krb5/disp_status.c                  |    2 +-
 src/lib/kadm5/alt_prof.c                           |    7 +-
 src/lib/kadm5/srv/pwqual_empty.c                   |    6 +-
 src/lib/kadm5/srv/pwqual_hesiod.c                  |    7 +-
 src/lib/kadm5/srv/pwqual_princ.c                   |    6 +-
 src/lib/kadm5/srv/server_kdb.c                     |    4 +-
 src/lib/kdb/kdb5.c                                 |   40 ++++-----
 src/lib/kdb/kdb_default.c                          |   34 ++++----
 src/lib/krb5/ccache/cc_dir.c                       |   35 ++++-----
 src/lib/krb5/ccache/cc_file.c                      |   11 +--
 src/lib/krb5/ccache/cc_keyring.c                   |   11 +--
 src/lib/krb5/ccache/cccursor.c                     |   10 +-
 src/lib/krb5/keytab/kt_file.c                      |   23 ++----
 src/lib/krb5/keytab/ktfns.c                        |    4 +-
 src/lib/krb5/krb/authdata_dec.c                    |    4 +-
 src/lib/krb5/krb/fast.c                            |   27 +++----
 src/lib/krb5/krb/gc_via_tkt.c                      |   13 ++--
 src/lib/krb5/krb/get_in_tkt.c                      |   13 ++--
 src/lib/krb5/krb/gic_keytab.c                      |    5 +-
 src/lib/krb5/krb/parse.c                           |    8 +-
 src/lib/krb5/krb/plugin.c                          |   10 +-
 src/lib/krb5/krb/preauth2.c                        |    8 +-
 src/lib/krb5/krb/preauth_otp.c                     |    8 +-
 src/lib/krb5/krb/rd_req_dec.c                      |   82 +++++++++-----------
 src/lib/krb5/krb/t_copy_context.c                  |    2 +-
 src/lib/krb5/os/expand_path.c                      |   44 +++++------
 src/lib/krb5/os/locate_kdc.c                       |   10 +-
 src/lib/krb5/os/sendto_kdc.c                       |    6 +-
 src/lib/krb5/rcache/rc_io.c                        |   76 ++++++++-----------
 src/plugins/kdb/db2/kdb_db2.c                      |   11 +--
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c        |    8 +-
 src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c   |   22 +++---
 src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c     |    3 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c     |    1 -
 .../kdb/ldap/libkdb_ldap/ldap_krbcontainer.c       |    9 +--
 src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c       |   46 +++++------
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c  |    4 +-
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |   65 +++++++---------
 src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c      |   28 +++----
 .../kdb/ldap/libkdb_ldap/ldap_service_stash.c      |   20 ++---
 src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c |    7 +-
 src/plugins/preauth/securid_sam2/securid2.c        |    6 +-
 46 files changed, 360 insertions(+), 445 deletions(-)

diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 14d833f..20b7fef 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -59,26 +59,25 @@ static krb5_error_code armor_ap_request
                          kdc_active_realm->realm_keytab,  NULL, &ticket);
     if (retval != 0) {
         const char * errmsg = krb5_get_error_message(kdc_context, retval);
-        krb5_set_error_message(kdc_context, retval,
-                               _("%s while handling ap-request armor"),
-                               errmsg);
+        k5_setmsg(kdc_context, retval, _("%s while handling ap-request armor"),
+                  errmsg);
         krb5_free_error_message(kdc_context, errmsg);
     }
     if (retval == 0) {
         if (!krb5_principal_compare_any_realm(kdc_context,
                                               tgs_server,
                                               ticket->server)) {
-            krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
-                                   _("ap-request armor for something other "
-                                     "than the local TGS"));
+            k5_setmsg(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
+                      _("ap-request armor for something other than the local "
+                        "TGS"));
             retval = KRB5KDC_ERR_SERVER_NOMATCH;
         }
     }
     if (retval == 0) {
         retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
         if (retval != 0 || subkey == NULL) {
-            krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
-                                   _("ap-request armor without subkey"));
+            k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY,
+                      _("ap-request armor without subkey"));
             retval = KRB5KDC_ERR_POLICY;
         }
     }
@@ -159,17 +158,16 @@ kdc_find_fast(krb5_kdc_req **requestptr,
             case KRB5_FAST_ARMOR_AP_REQUEST:
                 if (tgs_subkey) {
                     retval = KRB5KDC_ERR_PREAUTH_FAILED;
-                    krb5_set_error_message(kdc_context, retval,
-                                           _("Ap-request armor not permitted "
-                                             "with TGS"));
+                    k5_setmsg(kdc_context, retval,
+                              _("Ap-request armor not permitted with TGS"));
                     break;
                 }
                 retval = armor_ap_request(state, fast_armored_req->armor);
                 break;
             default:
-                krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
-                                       _("Unknown FAST armor type %d"),
-                                       fast_armored_req->armor->armor_type);
+                k5_setmsg(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
+                          _("Unknown FAST armor type %d"),
+                          fast_armored_req->armor->armor_type);
                 retval = KRB5KDC_ERR_PREAUTH_FAILED;
             }
         }
@@ -181,9 +179,8 @@ kdc_find_fast(krb5_kdc_req **requestptr,
                                               &state->armor_key);
             else {
                 retval = KRB5KDC_ERR_PREAUTH_FAILED;
-                krb5_set_error_message(kdc_context, retval,
-                                       _("No armor key but FAST armored "
-                                         "request present"));
+                k5_setmsg(kdc_context, retval,
+                          _("No armor key but FAST armored request present"));
             }
         }
         if (retval == 0) {
@@ -218,15 +215,14 @@ kdc_find_fast(krb5_kdc_req **requestptr,
                                             &cksum_valid);
         if (retval == 0 && !cksum_valid) {
             retval = KRB5KRB_AP_ERR_MODIFIED;
-            krb5_set_error_message(kdc_context, retval,
-                                   _("FAST req_checksum invalid; request "
-                                     "modified"));
+            k5_setmsg(kdc_context, retval,
+                      _("FAST req_checksum invalid; request modified"));
         }
         if (retval == 0) {
             if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) {
                 retval = KRB5KDC_ERR_POLICY;
-                krb5_set_error_message(kdc_context, retval,
-                                       _("Unkeyed checksum used in fast_req"));
+                k5_setmsg(kdc_context, retval,
+                          _("Unkeyed checksum used in fast_req"));
             }
         }
         if (retval == 0) {
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index 720fefa..feef368 100644
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -71,9 +71,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
 
     if (armor_key == NULL) {
         retval = ENOENT;
-        krb5_set_error_message(context, ENOENT,
-                               _("Encrypted Challenge used outside of FAST "
-                                 "tunnel"));
+        k5_setmsg(context, ENOENT,
+                  _("Encrypted Challenge used outside of FAST tunnel"));
     }
     scratch.data = (char *) data->contents;
     scratch.length = data->length;
@@ -107,9 +106,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         }
         if (client_keys[i].enctype == 0) {
             retval = KRB5KDC_ERR_PREAUTH_FAILED;
-            krb5_set_error_message(context, retval,
-                                   _("Incorrect password in encrypted "
-                                     "challenge"));
+            k5_setmsg(context, retval,
+                      _("Incorrect password in encrypted challenge"));
         }
     }
     if (retval == 0)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 93a51d5..98e1937 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -286,8 +286,8 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
     if (retval != 0)
         goto cleanup_authenticator;
     if (authdata&& authdata[0]) {
-        krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
-                               "ticket valid only as FAST armor");
+        k5_setmsg(kdc_context, KRB5KDC_ERR_POLICY,
+                  "ticket valid only as FAST armor");
         retval = KRB5KDC_ERR_POLICY;
         krb5_free_authdata(kdc_context, authdata);
         goto cleanup_authenticator;
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index a31bc11..f952f64 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -162,9 +162,8 @@ check_keytab(krb5_context context, krb5_keytab kt, krb5_gss_name_t name)
     if (code == KRB5_KT_END) {
         code = KRB5_KT_NOTFOUND;
         if (krb5_unparse_name(context, accprinc, &princname) == 0) {
-            krb5_set_error_message(context, code,
-                                   _("No key table entry found matching %s"),
-                                   princname);
+            k5_setmsg(context, code, _("No key table entry found matching %s"),
+                      princname);
             free(princname);
         }
     }
diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c
index 69c3cb9..6ff62a9 100644
--- a/src/lib/gssapi/krb5/disp_status.c
+++ b/src/lib/gssapi/krb5/disp_status.c
@@ -142,7 +142,7 @@ void krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx)
     save_error_string(minor_code, s);
     /* The get_error_message call above resets the error message in
        ctx.  Put it back, in case we make this call again *sigh*.  */
-    krb5_set_error_message(ctx, (krb5_error_code)minor_code, "%s", s);
+    k5_setmsg(ctx, (krb5_error_code)minor_code, "%s", s);
     krb5_free_error_message(ctx, s);
 }
 void krb5_gss_delete_error_info(void *p)
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 09be1ef..9ebcb73 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -851,10 +851,9 @@ kadm5_get_admin_service_name(krb5_context ctx, char *realm_in,
     err = getaddrinfo(params_out.admin_server, NULL, &hint, &ai);
     if (err != 0) {
         ret = KADM5_CANT_RESOLVE;
-        krb5_set_error_message(ctx, ret,
-                               _("Cannot resolve address of admin server "
-                                 "\"%s\" for realm \"%s\""),
-                               params_out.admin_server, realm_in);
+        k5_setmsg(ctx, ret,
+                  _("Cannot resolve address of admin server \"%s\" for realm "
+                    "\"%s\""), params_out.admin_server, realm_in);
         goto err_params;
     }
     if (strlen(ai->ai_canonname) + sizeof("kadmin/") > maxlen) {
diff --git a/src/lib/kadm5/srv/pwqual_empty.c b/src/lib/kadm5/srv/pwqual_empty.c
index 67118db..1fc9b7b 100644
--- a/src/lib/kadm5/srv/pwqual_empty.c
+++ b/src/lib/kadm5/srv/pwqual_empty.c
@@ -26,7 +26,7 @@
 
 /* Password quality module to reject empty passwords */
 
-#include "k5-platform.h"
+#include "k5-int.h"
 #include <krb5/pwqual_plugin.h>
 #include "server_internal.h"
 
@@ -38,8 +38,8 @@ empty_check(krb5_context context, krb5_pwqual_moddata data,
     /* Unlike other built-in modules, this one operates even for principals
      * with no password policy. */
     if (*password == '\0') {
-        krb5_set_error_message(context, KADM5_PASS_Q_TOOSHORT,
-                               _("Empty passwords are not allowed"));
+        k5_setmsg(context, KADM5_PASS_Q_TOOSHORT,
+                  _("Empty passwords are not allowed"));
         return KADM5_PASS_Q_TOOSHORT;
     }
     return 0;
diff --git a/src/lib/kadm5/srv/pwqual_hesiod.c b/src/lib/kadm5/srv/pwqual_hesiod.c
index 28959d7..7c82bba 100644
--- a/src/lib/kadm5/srv/pwqual_hesiod.c
+++ b/src/lib/kadm5/srv/pwqual_hesiod.c
@@ -29,7 +29,7 @@
  * passwd information, if the tree is compiled with Hesiod support.
  */
 
-#include "k5-platform.h"
+#include "k5-int.h"
 #include <krb5/pwqual_plugin.h>
 #include "server_internal.h"
 #include <ctype.h>
@@ -110,9 +110,8 @@ hesiod_check(krb5_context context, krb5_pwqual_moddata data,
     for (i = 0; i < n; i++) {
         ent = hes_getpwnam(cp);
         if (ent && ent->pw_gecos && str_check_gecos(ent->pw_gecos, password)) {
-            krb5_set_error_message(context, KADM5_PASS_Q_DICT,
-                                   _("Password may not match user "
-                                     "information."));
+            k5_setmsg(context, KADM5_PASS_Q_DICT,
+                      _("Password may not match user information."));
             return KADM5_PASS_Q_DICT;
         }
     }
diff --git a/src/lib/kadm5/srv/pwqual_princ.c b/src/lib/kadm5/srv/pwqual_princ.c
index cbf2d72..14012e5 100644
--- a/src/lib/kadm5/srv/pwqual_princ.c
+++ b/src/lib/kadm5/srv/pwqual_princ.c
@@ -26,7 +26,7 @@
 
 /* Password quality module to check passwords against principal components */
 
-#include "k5-platform.h"
+#include "k5-int.h"
 #include <krb5/pwqual_plugin.h>
 #include "server_internal.h"
 
@@ -50,8 +50,8 @@ princ_check(krb5_context context, krb5_pwqual_moddata data,
     for (i = 0; i < n; i++) {
         cp = krb5_princ_component(handle->context, princ, i)->data;
         if (strcasecmp(cp, password) == 0) {
-            krb5_set_error_message(context, KADM5_PASS_Q_DICT,
-                                   _("Password may not match principal name"));
+            k5_setmsg(context, KADM5_PASS_Q_DICT,
+                      _("Password may not match principal name"));
             return KADM5_PASS_Q_DICT;
         }
     }
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 20a8db7..6db5229 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -190,8 +190,8 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock **keyblocks_out,
 
     if (kdb->n_key_data <= 0) {
         ret = KRB5_KDB_NO_MATCHING_KEY;
-        krb5_set_error_message(handle->context, ret,
-                               _("History entry contains no key data"));
+        k5_setmsg(handle->context, ret,
+                  _("History entry contains no key data"));
         goto done;
     }
 
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index 8233a48..4b4bb49 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -218,9 +218,8 @@ get_conf_section(krb5_context context, char **section)
 
     status = krb5_get_default_realm(context, &defrealm);
     if (status) {
-        krb5_set_error_message(context, KRB5_KDB_SERVER_INTERNAL_ERR,
-                               _("No default realm set; cannot initialize "
-                                 "KDB"));
+        k5_setmsg(context, KRB5_KDB_SERVER_INTERNAL_ERR,
+                  _("No default realm set; cannot initialize KDB"));
         return KRB5_KDB_SERVER_INTERNAL_ERR;
     }
     status = profile_get_string(context->profile,
@@ -324,9 +323,8 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *libptr)
         vftabl_addr = &krb5_ldap_kdb_function_table;
 #endif
     if (!vftabl_addr) {
-        krb5_set_error_message(kcontext, KRB5_KDB_DBTYPE_NOTFOUND,
-                               _("Unable to find requested database type: %s"),
-                               lib_name);
+        k5_setmsg(kcontext, KRB5_KDB_DBTYPE_NOTFOUND,
+                  _("Unable to find requested database type: %s"), lib_name);
         return KRB5_PLUGIN_OP_NOTSUPP;
     }
 
@@ -407,9 +405,8 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *lib)
                                             &(*lib)->dl_dir_handle, &kcontext->err))) {
         const char *err_str = krb5_get_error_message(kcontext, status);
         status = KRB5_KDB_DBTYPE_NOTFOUND;
-        krb5_set_error_message(kcontext, status,
-                               _("Unable to find requested database type: %s"),
-                               err_str);
+        k5_setmsg(kcontext, status,
+                  _("Unable to find requested database type: %s"), err_str);
         krb5_free_error_message(kcontext, err_str);
         goto clean_n_exit;
     }
@@ -418,9 +415,9 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *lib)
                                                &vftabl_addrs, &kcontext->err))) {
         const char *err_str = krb5_get_error_message(kcontext, status);
         status = KRB5_KDB_DBTYPE_INIT;
-        krb5_set_error_message(kcontext, status,
-                               _("plugin symbol 'kdb_function_table' lookup "
-                                 "failed: %s"), err_str);
+        k5_setmsg(kcontext, status,
+                  _("plugin symbol 'kdb_function_table' lookup failed: %s"),
+                  err_str);
         krb5_free_error_message(kcontext, err_str);
         goto clean_n_exit;
     }
@@ -428,10 +425,9 @@ kdb_load_library(krb5_context kcontext, char *lib_name, db_library *lib)
     if (vftabl_addrs[0] == NULL) {
         /* No plugins! */
         status = KRB5_KDB_DBTYPE_NOTFOUND;
-        krb5_set_error_message(kcontext, status,
-                               _("Unable to load requested database module "
-                                 "'%s': plugin symbol 'kdb_function_table' "
-                                 "not found"), lib_name);
+        k5_setmsg(kcontext, status,
+                  _("Unable to load requested database module '%s': plugin "
+                    "symbol 'kdb_function_table' not found"), lib_name);
         goto clean_n_exit;
     }
 
@@ -1653,9 +1649,9 @@ krb5_dbe_lookup_mkey_aux(krb5_context context, krb5_db_entry *entry,
                 prev_data = new_data;
             }
         } else {
-            krb5_set_error_message(context, KRB5_KDB_BAD_VERSION,
-                                   _("Illegal version number for "
-                                     "KRB5_TL_MKEY_AUX %d\n"), version);
+            k5_setmsg(context, KRB5_KDB_BAD_VERSION,
+                      _("Illegal version number for KRB5_TL_MKEY_AUX %d\n"),
+                      version);
             return (KRB5_KDB_BAD_VERSION);
         }
     }
@@ -1822,9 +1818,9 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_db_entry *entry,
                 next_tuple += ACTKVNO_TUPLE_SIZE;
             }
         } else {
-            krb5_set_error_message(context, KRB5_KDB_BAD_VERSION,
-                                   _("Illegal version number for "
-                                     "KRB5_TL_ACTKVNO %d\n"), version);
+            k5_setmsg(context, KRB5_KDB_BAD_VERSION,
+                      _("Illegal version number for KRB5_TL_ACTKVNO %d\n"),
+                      version);
             return (KRB5_KDB_BAD_VERSION);
         }
     }
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index b7a2f24..31b3e69 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -160,9 +160,9 @@ krb5_def_store_mkey_list(krb5_context       context,
         /* if keyfile exists it better be a regular file */
         if (!S_ISREG(stb.st_mode)) {
             retval = EINVAL;
-            krb5_set_error_message(context, retval,
-                                   _("keyfile (%s) is not a regular file: %s"),
-                                   keyfile, error_message(retval));
+            k5_setmsg(context, retval,
+                      _("keyfile (%s) is not a regular file: %s"),
+                      keyfile, error_message(retval));
             goto out;
         }
     }
@@ -173,8 +173,8 @@ krb5_def_store_mkey_list(krb5_context       context,
      */
     retval = asprintf(&tmp_ktname, "FILE:%s_tmp", keyfile);
     if (retval < 0) {
-        krb5_set_error_message(context, retval,
-                               _("Could not create temp keytab file name."));
+        k5_setmsg(context, retval,
+                  _("Could not create temp keytab file name."));
         goto out;
     }
 
@@ -198,9 +198,8 @@ krb5_def_store_mkey_list(krb5_context       context,
         goto out;
     } else if (statrc == 0) {
         retval = EEXIST;
-        krb5_set_error_message(context, retval,
-                               _("Temporary stash file already exists: %s."),
-                               tmp_ktpath);
+        k5_setmsg(context, retval,
+                  _("Temporary stash file already exists: %s."), tmp_ktpath);
         goto out;
     }
 
@@ -227,10 +226,9 @@ krb5_def_store_mkey_list(krb5_context       context,
         /* Atomically rename temp keyfile to original filename. */
         if (rename(tmp_ktpath, keyfile) < 0) {
             retval = errno;
-            krb5_set_error_message(context, retval,
-                                   _("rename of temporary keyfile (%s) to "
-                                     "(%s) failed: %s"), tmp_ktpath, keyfile,
-                                   error_message(errno));
+            k5_setmsg(context, retval,
+                      _("rename of temporary keyfile (%s) to (%s) failed: %s"),
+                      tmp_ktpath, keyfile, error_message(errno));
         }
     }
 
@@ -417,9 +415,9 @@ krb5_db_def_fetch_mkey(krb5_context   context,
      * key, but set a message indicating the actual error.
      */
     if (retval != 0) {
-        krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED,
-                               _("Can not fetch master key (error: %s)."),
-                               error_message(retval));
+        k5_setmsg(context, KRB5_KDB_CANTREAD_STORED,
+                  _("Can not fetch master key (error: %s)."),
+                  error_message(retval));
         return KRB5_KDB_CANTREAD_STORED;
     } else
         return 0;
@@ -480,9 +478,9 @@ krb5_def_fetch_mkey_list(krb5_context        context,
             }
         }
         if (found_key != TRUE) {
-            krb5_set_error_message(context, KRB5_KDB_BADMASTERKEY,
-                                   _("Unable to decrypt latest master key "
-                                     "with the provided master key\n"));
+            k5_setmsg(context, KRB5_KDB_BADMASTERKEY,
+                      _("Unable to decrypt latest master key with the "
+                        "provided master key\n"));
             retval = KRB5_KDB_BADMASTERKEY;
             goto clean_n_exit;
         }
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index b8231ed..d82f335 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -118,16 +118,15 @@ split_path(krb5_context context, const char *path, char **dirname_out,
 
     if (*dirname == '\0') {
         ret = KRB5_CC_BADNAME;
-        krb5_set_error_message(context, ret,
-                               _("Subsidiary cache path %s has no parent "
-                                 "directory"), path);
+        k5_setmsg(context, ret,
+                  _("Subsidiary cache path %s has no parent directory"), path);
         goto error;
     }
     if (!filename_is_cache(filename)) {
         ret = KRB5_CC_BADNAME;
-        krb5_set_error_message(context, ret,
-                               _("Subsidiary cache path %s filename does not "
-                                 "begin with \"tkt\""), path);
+        k5_setmsg(context, ret,
+                  _("Subsidiary cache path %s filename does not begin with "
+                    "\"tkt\""), path);
         goto error;
     }
 
@@ -167,9 +166,8 @@ read_primary_file(krb5_context context, const char *primary_path,
      * filename, or isn't a single-component filename. */
     if (buf[len - 1] != '\n' || !filename_is_cache(buf) ||
         strchr(buf, '/') || strchr(buf, '\\')) {
-        krb5_set_error_message(context, KRB5_CC_FORMAT,
-                               _("%s contains invalid filename"),
-                               primary_path);
+        k5_setmsg(context, KRB5_CC_FORMAT, _("%s contains invalid filename"),
+                  primary_path);
         return KRB5_CC_FORMAT;
     }
     buf[len - 1] = '\0';
@@ -227,15 +225,15 @@ verify_dir(krb5_context context, const char *dirname)
     if (stat(dirname, &st) < 0) {
         if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
             return 0;
-        krb5_set_error_message(context, KRB5_FCC_NOFILE,
-                               _("Credential cache directory %s does not "
-                                 "exist"), dirname);
+        k5_setmsg(context, KRB5_FCC_NOFILE,
+                  _("Credential cache directory %s does not exist"),
+                  dirname);
         return KRB5_FCC_NOFILE;
     }
     if (!S_ISDIR(st.st_mode)) {
-        krb5_set_error_message(context, KRB5_CC_FORMAT,
-                               _("Credential cache directory %s exists but is"
-                                 "not a directory"), dirname);
+        k5_setmsg(context, KRB5_CC_FORMAT,
+                  _("Credential cache directory %s exists but is not a "
+                    "directory"), dirname);
         return KRB5_CC_FORMAT;
     }
     return 0;
@@ -398,10 +396,9 @@ dcc_gen_new(krb5_context context, krb5_ccache *cache_out)
     if (ret)
         return ret;
     if (dirname == NULL) {
-        krb5_set_error_message(context, KRB5_DCC_CANNOT_CREATE,
-                               _("Can't create new subsidiary cache because "
-                                 "default cache is not a directory "
-                                 "collection"));
+        k5_setmsg(context, KRB5_DCC_CANNOT_CREATE,
+                  _("Can't create new subsidiary cache because default cache "
+                    "is not a directory collection"));
         return KRB5_DCC_CANNOT_CREATE;
     }
     ret = k5_path_join(dirname, "tktXXXXXX", &template);
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index 7b6279d..3f6443f 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -569,9 +569,8 @@ open_cache_file(krb5_context context, krb5_ccache id, int mode)
     if (f == NO_FILE) {
         if (errno == ENOENT) {
             ret = KRB5_FCC_NOFILE;
-            krb5_set_error_message(context, ret,
-                                   _("Credentials cache file '%s' not found"),
-                                   data->filename);
+            k5_setmsg(context, ret, _("Credentials cache file '%s' not found"),
+                      data->filename);
             return ret;
         } else {
             return interpret_errno(context, errno);
@@ -1577,9 +1576,9 @@ interpret_errno(krb5_context context, int errnum)
     case ENXIO:
     default:
         ret = KRB5_CC_IO;
-        krb5_set_error_message(context, ret,
-                               _("Credentials cache I/O operation failed "
-                                 "(%s)"), strerror(errnum));
+        k5_setmsg(context, ret,
+                  _("Credentials cache I/O operation failed (%s)"),
+                  strerror(errnum));
     }
     return ret;
 }
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 43f33ee..31be293 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -1147,9 +1147,9 @@ krcc_generate_new(krb5_context context, krb5_ccache *id_out)
             return ret;
     }
     if (subsidiary_name != NULL) {
-        krb5_set_error_message(context, KRB5_DCC_CANNOT_CREATE,
-                               _("Can't create new subsidiary cache because "
-                                 "default cache is already a subsdiary"));
+        k5_setmsg(context, KRB5_DCC_CANNOT_CREATE,
+                  _("Can't create new subsidiary cache because default cache "
+                    "is already a subsidiary"));
         ret = KRB5_DCC_CANNOT_CREATE;
         goto cleanup;
     }
@@ -1216,9 +1216,8 @@ krcc_get_principal(krb5_context context, krb5_ccache id,
 
     if (!data->cache_id || !data->princ_id) {
         ret = KRB5_FCC_NOFILE;
-        krb5_set_error_message(context, ret,
-                               _("Credentials cache keyring '%s' not found"),
-                               data->name);
+        k5_setmsg(context, ret, _("Credentials cache keyring '%s' not found"),
+                  data->name);
         goto errout;
     }
 
diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c
index e156112..021a49f 100644
--- a/src/lib/krb5/ccache/cccursor.c
+++ b/src/lib/krb5/ccache/cccursor.c
@@ -208,9 +208,9 @@ krb5_cc_cache_match(krb5_context context, krb5_principal client,
     if (cache == NULL) {
         ret = krb5_unparse_name(context, client, &name);
         if (ret == 0) {
-            krb5_set_error_message(context, KRB5_CC_NOTFOUND,
-                                   _("Can't find client principal %s in "
-                                     "cache collection"), name);
+            k5_setmsg(context, KRB5_CC_NOTFOUND,
+                      _("Can't find client principal %s in cache collection"),
+                      name);
             krb5_free_unparsed_name(context, name);
         }
         ret = KRB5_CC_NOTFOUND;
@@ -249,7 +249,7 @@ krb5_cccol_have_content(krb5_context context)
         return 0;
 
 no_entries:
-    krb5_set_error_message(context, KRB5_CC_NOTFOUND,
-                           _("No Kerberos credentials available"));
+    k5_setmsg(context, KRB5_CC_NOTFOUND,
+              _("No Kerberos credentials available"));
     return KRB5_CC_NOTFOUND;
 }
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 44864b5..722ebe6 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -394,9 +394,8 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
         else {
             kerror = KRB5_KT_NOTFOUND;
             if (krb5_unparse_name(context, principal, &princname) == 0) {
-                krb5_set_error_message(context, kerror,
-                                       _("No key table entry found for %s"),
-                                       princname);
+                k5_setmsg(context, kerror,
+                          _("No key table entry found for %s"), princname);
                 free(princname);
             }
         }
@@ -472,8 +471,7 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *
         /* Wrapped?!  */
         KTITERS(id)--;
         KTUNLOCK(id);
-        krb5_set_error_message(context, KRB5_KT_IOERR,
-                               "Too many keytab iterators active");
+        k5_setmsg(context, KRB5_KT_IOERR, "Too many keytab iterators active");
         return KRB5_KT_IOERR;   /* XXX */
     }
     KTUNLOCK(id);
@@ -813,9 +811,8 @@ krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
     if (KTFILEP(id)) {
         /* Iterator(s) active -- no changes.  */
         KTUNLOCK(id);
-        krb5_set_error_message(context, KRB5_KT_IOERR,
-                               _("Cannot change keytab with keytab iterators "
-                                 "active"));
+        k5_setmsg(context, KRB5_KT_IOERR,
+                  _("Cannot change keytab with keytab iterators active"));
         return KRB5_KT_IOERR;   /* XXX */
     }
     if ((retval = krb5_ktfileint_openw(context, id))) {
@@ -847,9 +844,8 @@ krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entr
     if (KTFILEP(id)) {
         /* Iterator(s) active -- no changes.  */
         KTUNLOCK(id);
-        krb5_set_error_message(context, KRB5_KT_IOERR,
-                               _("Cannot change keytab with keytab iterators "
-                                 "active"));
+        k5_setmsg(context, KRB5_KT_IOERR,
+                  _("Cannot change keytab with keytab iterators active"));
         return KRB5_KT_IOERR;   /* XXX */
     }
 
@@ -1047,9 +1043,8 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
                 /* XXX */
                 return EMFILE;
             case ENOENT:
-                krb5_set_error_message(context, ENOENT,
-                                       _("Key table file '%s' not found"),
-                                       KTFILENAME(id));
+                k5_setmsg(context, ENOENT,
+                          _("Key table file '%s' not found"), KTFILENAME(id));
                 return ENOENT;
             default:
                 return errno;
diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c
index 56343ad..7945253 100644
--- a/src/lib/krb5/keytab/ktfns.c
+++ b/src/lib/krb5/keytab/ktfns.c
@@ -123,8 +123,8 @@ krb5_kt_have_content(krb5_context context, krb5_keytab keytab)
 
 no_entries:
     if (krb5_kt_get_name(context, keytab, name, sizeof(name)) == 0) {
-        krb5_set_error_message(context, KRB5_KT_NOTFOUND,
-                               _("Keytab %s is nonexistent or empty"), name);
+        k5_setmsg(context, KRB5_KT_NOTFOUND,
+                  _("Keytab %s is nonexistent or empty"), name);
     }
     return KRB5_KT_NOTFOUND;
 }
diff --git a/src/lib/krb5/krb/authdata_dec.c b/src/lib/krb5/krb/authdata_dec.c
index 8e95b2a..0a3dc14 100644
--- a/src/lib/krb5/krb/authdata_dec.c
+++ b/src/lib/krb5/krb/authdata_dec.c
@@ -92,8 +92,8 @@ grow_find_authdata(krb5_context context, struct find_authdata_context *fctx,
     if (fctx->length == fctx->space) {
         krb5_authdata **new;
         if (fctx->space >= 256) {
-            krb5_set_error_message(context, ERANGE,
-                                   "More than 256 authdata matched a query");
+            k5_setmsg(context, ERANGE,
+                      "More than 256 authdata matched a query");
             return ERANGE;
         }
         new       = realloc(fctx->out,
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c
index 8d62268..02d580f 100644
--- a/src/lib/krb5/krb/fast.c
+++ b/src/lib/krb5/krb/fast.c
@@ -214,8 +214,8 @@ krb5int_fast_as_armor(krb5_context context,
         if (retval != 0) {
             const char * errmsg;
             errmsg = krb5_get_error_message(context, retval);
-            krb5_set_error_message(context, retval,
-                                   _("%s constructing AP-REQ armor"), errmsg);
+            k5_setmsg(context, retval, _("%s constructing AP-REQ armor"),
+                      errmsg);
             krb5_free_error_message(context, errmsg);
         }
     }
@@ -396,8 +396,8 @@ decrypt_fast_reply(krb5_context context,
     if (retval != 0) {
         const char * errmsg;
         errmsg = krb5_get_error_message(context, retval);
-        krb5_set_error_message(context, retval,
-                               _("%s while decrypting FAST reply"), errmsg);
+        k5_setmsg(context, retval, _("%s while decrypting FAST reply"),
+                  errmsg);
         krb5_free_error_message(context, errmsg);
     }
     if (retval == 0)
@@ -405,9 +405,8 @@ decrypt_fast_reply(krb5_context context,
     if (retval == 0) {
         if (local_resp->nonce != state->nonce) {
             retval = KRB5_KDCREP_MODIFIED;
-            krb5_set_error_message(context, retval,
-                                   _("nonce modified in FAST response: "
-                                     "KDC response modified"));
+            k5_setmsg(context, retval, _("nonce modified in FAST response: "
+                                         "KDC response modified"));
         }
     }
     if (retval == 0) {
@@ -471,9 +470,9 @@ krb5int_fast_process_error(krb5_context context,
             fx_error_pa = krb5int_find_pa_data(context, fast_response->padata,
                                                KRB5_PADATA_FX_ERROR);
             if (fx_error_pa == NULL) {
-                krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
-                                       _("Expecting FX_ERROR pa-data inside "
-                                         "FAST container"));
+                k5_setmsg(context, KRB5KDC_ERR_PREAUTH_FAILED,
+                          _("Expecting FX_ERROR pa-data inside FAST "
+                            "container"));
                 retval = KRB5KDC_ERR_PREAUTH_FAILED;
             }
         }
@@ -542,9 +541,8 @@ krb5int_fast_process_response(krb5_context context,
     if (retval == 0) {
         if (fast_response->finished == 0) {
             retval = KRB5_KDCREP_MODIFIED;
-            krb5_set_error_message(context, retval,
-                                   _("FAST response missing finish message "
-                                     "in KDC reply"));
+            k5_setmsg(context, retval,
+                      _("FAST response missing finish message in KDC reply"));
         }
     }
     if (retval == 0)
@@ -557,8 +555,7 @@ krb5int_fast_process_response(krb5_context context,
                                         &cksum_valid);
     if (retval == 0 && cksum_valid == 0) {
         retval = KRB5_KDCREP_MODIFIED;
-        krb5_set_error_message(context, retval,
-                               _("Ticket modified in KDC reply"));
+        k5_setmsg(context, retval, _("Ticket modified in KDC reply"));
     }
     if (retval == 0) {
         krb5_free_principal(context, resp->client);
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index 92b53ec..4c0a1a4 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -204,19 +204,18 @@ krb5int_process_tgs_reply(krb5_context context,
         if (err_reply->text.length > 0) {
             switch (err_reply->error) {
             case KRB_ERR_GENERIC:
-                krb5_set_error_message(context, retval,
-                                       _("KDC returned error string: %.*s"),
-                                       err_reply->text.length,
-                                       err_reply->text.data);
+                k5_setmsg(context, retval,
+                          _("KDC returned error string: %.*s"),
+                          err_reply->text.length, err_reply->text.data);
                 break;
             case KDC_ERR_S_PRINCIPAL_UNKNOWN:
             {
                 char *s_name;
                 if (err_reply->server &&
                     krb5_unparse_name(context, err_reply->server, &s_name) == 0) {
-                    krb5_set_error_message(context, retval,
-                                           _("Server %s not found in Kerberos "
-                                             "database"), s_name);
+                    k5_setmsg(context, retval,
+                              _("Server %s not found in Kerberos database"),
+                              s_name);
                     krb5_free_unparsed_name(context, s_name);
                 } else
                     /* In case there's a stale S_PRINCIPAL_UNKNOWN
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index ebcb362..88bad4c 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -131,8 +131,8 @@ cleanup:
     return ret;
 verification_error:
     ret = KRB5_KDCREP_MODIFIED;
-    krb5_set_error_message(context, ret, _("Reply has wrong form of session "
-                                           "key for anonymous request"));
+    k5_setmsg(context, ret,
+              _("Reply has wrong form of session key for anonymous request"));
     goto cleanup;
 }
 
@@ -1641,8 +1641,7 @@ init_creds_step_reply(krb5_context context,
         if (code !=0) {
             const char *msg;
             msg = krb5_get_error_message(context, code);
-            krb5_set_error_message(context, code,
-                                   _("%s while storing credentials"), msg);
+            k5_setmsg(context, code, _("%s while storing credentials"), msg);
             krb5_free_error_message(context, msg);
         }
     }
@@ -1729,9 +1728,9 @@ cleanup:
         /* See if we can produce a more detailed error message */
         code2 = krb5_unparse_name(context, ctx->request->client, &client_name);
         if (code2 == 0) {
-            krb5_set_error_message(context, code,
-                                   _("Client '%s' not found in Kerberos "
-                                     "database"), client_name);
+            k5_setmsg(context, code,
+                      _("Client '%s' not found in Kerberos database"),
+                      client_name);
             krb5_free_unparsed_name(context, client_name);
         }
     }
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 4c2942e..f20af53 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -203,9 +203,8 @@ krb5_init_creds_set_keytab(krb5_context context,
     if (etype_list == NULL) {
         ret = krb5_unparse_name(context, ctx->request->client, &name);
         if (ret == 0) {
-            krb5_set_error_message(context, KRB5_KT_NOTFOUND,
-                                   _("Keytab contains no suitable keys for "
-                                     "%s"), name);
+            k5_setmsg(context, KRB5_KT_NOTFOUND,
+                      _("Keytab contains no suitable keys for %s"), name);
         }
         krb5_free_unparsed_name(context, name);
         return KRB5_KT_NOTFOUND;
diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index a696c71..1edb949 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -199,9 +199,8 @@ krb5_parse_name_flags(krb5_context context, const char *name,
     if (!has_realm) {
         if (require_realm) {
             ret = KRB5_PARSE_MALFORMED;
-            krb5_set_error_message(context, ret,
-                                   _("Principal %s is missing required realm"),
-                                   name);
+            k5_setmsg(context, ret,
+                      _("Principal %s is missing required realm"), name);
             goto cleanup;
         }
         if (!no_realm && !ignore_realm) {
@@ -213,8 +212,7 @@ krb5_parse_name_flags(krb5_context context, const char *name,
         }
     } else if (no_realm) {
         ret = KRB5_PARSE_MALFORMED;
-        krb5_set_error_message(context, ret,
-                               _("Principal %s has realm present"), name);
+        k5_setmsg(context, ret, _("Principal %s has realm present"), name);
         goto cleanup;
     } else if (ignore_realm) {
         krb5_free_data_contents(context, &princ->realm);
diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c
index 9bb5d54..8b62c7b 100644
--- a/src/lib/krb5/krb/plugin.c
+++ b/src/lib/krb5/krb/plugin.c
@@ -160,8 +160,8 @@ parse_modstr(krb5_context context, const char *modstr,
 
     sep = strchr(modstr, ':');
     if (sep == NULL) {
-        krb5_set_error_message(context, KRB5_PLUGIN_BAD_MODULE_SPEC,
-                               _("Invalid module specifier %s"), modstr);
+        k5_setmsg(context, KRB5_PLUGIN_BAD_MODULE_SPEC,
+                  _("Invalid module specifier %s"), modstr);
         return KRB5_PLUGIN_BAD_MODULE_SPEC;
     }
 
@@ -397,9 +397,9 @@ k5_plugin_load(krb5_context context, int interface_id, const char *modname,
             break;
         }
     }
-    krb5_set_error_message(context, KRB5_PLUGIN_NAME_NOTFOUND,
-                           _("Could not find %s plugin module named '%s'"),
-                           interface_names[interface_id], modname);
+    k5_setmsg(context, KRB5_PLUGIN_NAME_NOTFOUND,
+              _("Could not find %s plugin module named '%s'"),
+              interface_names[interface_id], modname);
     return KRB5_PLUGIN_NAME_NOTFOUND;
 }
 
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index cda91b9..9f34b33 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -1014,8 +1014,8 @@ krb5_preauth_supply_preauth_data(krb5_context context,
         k5_init_preauth_context(context);
         pctx = context->preauth_context;
         if (pctx == NULL) {
-            krb5_set_error_message(context, EINVAL,
-                                   _("Unable to initialize preauth context"));
+            k5_setmsg(context, EINVAL,
+                      _("Unable to initialize preauth context"));
             return EINVAL;
         }
     }
@@ -1029,8 +1029,8 @@ krb5_preauth_supply_preauth_data(krb5_context context,
         ret = clpreauth_gic_opts(context, h, opt, attr, value);
         if (ret) {
             emsg = krb5_get_error_message(context, ret);
-            krb5_set_error_message(context, ret, _("Preauth module %s: %s"),
-                                   h->vt.name, emsg);
+            k5_setmsg(context, ret, _("Preauth module %s: %s"), h->vt.name,
+                      emsg);
             krb5_free_error_message(context, emsg);
             return ret;
         }
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index d343683..d9ddc8b 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -698,9 +698,8 @@ filter_tokeninfos(krb5_context context, const char *otpvalue,
     /* It is an error if we have no matching tokeninfos. */
     if (filtered[0] == NULL) {
         free(filtered);
-        krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
-                               _("OTP value doesn't match "
-                                 "any token formats"));
+        k5_setmsg(context, KRB5_PREAUTH_FAILED,
+                  _("OTP value doesn't match any token formats"));
         return KRB5_PREAUTH_FAILED; /* We have no supported tokeninfos. */
     }
 
@@ -912,8 +911,7 @@ filter_supported_tokeninfos(krb5_context context, krb5_otp_tokeninfo **tis)
     if (tis[0] != NULL)
         return 0;
 
-    krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
-                           _("No supported tokens"));
+    k5_setmsg(context, KRB5_PREAUTH_FAILED, _("No supported tokens"));
     return KRB5_PREAUTH_FAILED; /* We have no supported tokeninfos. */
 }
 
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 637ff83..fbfe36e 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -142,15 +142,13 @@ keytab_fetch_error(krb5_context context, krb5_error_code code,
         return ret;
     if (krb5_principal_compare(context, princ, tkt_server)) {
         ret = KRB5KRB_AP_ERR_BADKEYVER;
-        krb5_set_error_message(context, ret,
-                               _("Cannot find key for %s kvno %d in keytab"),
-                               sname, (int)tkt_kvno);
+        k5_setmsg(context, ret, _("Cannot find key for %s kvno %d in keytab"),
+                  sname, (int)tkt_kvno);
     } else {
         ret = KRB5KRB_AP_ERR_NOT_US;
-        krb5_set_error_message(context, ret,
-                               _("Cannot find key for %s kvno %d in keytab "
-                                 "(request ticket server %s)"),
-                               sname, (int)tkt_kvno, tsname);
+        k5_setmsg(context, ret,
+                  _("Cannot find key for %s kvno %d in keytab (request ticket "
+                    "server %s)"), sname, (int)tkt_kvno, tsname);
     }
     krb5_free_unparsed_name(context, sname);
     krb5_free_unparsed_name(context, tsname);
@@ -173,9 +171,9 @@ integrity_error(krb5_context context, krb5_const_principal server,
 
     ret = krb5_principal_compare(context, server, tkt_server) ?
         KRB5KRB_AP_ERR_BAD_INTEGRITY : KRB5KRB_AP_ERR_NOT_US;
-    krb5_set_error_message(context, ret,
-                           _("Cannot decrypt ticket for %s using keytab "
-                             "key for %s"), tsname, sname);
+    k5_setmsg(context, ret,
+              _("Cannot decrypt ticket for %s using keytab key for %s"),
+              tsname, sname);
     krb5_free_unparsed_name(context, sname);
     krb5_free_unparsed_name(context, tsname);
     return ret;
@@ -195,9 +193,9 @@ nomatch_error(krb5_context context, krb5_const_principal server,
     if (ret)
         return ret;
 
-    krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
-                           _("Server principal %s does not match request "
-                             "ticket server %s"), sname, tsname);
+    k5_setmsg(context, KRB5KRB_AP_ERR_NOT_US,
+              _("Server principal %s does not match request ticket server %s"),
+              sname, tsname);
     krb5_free_unparsed_name(context, sname);
     krb5_free_unparsed_name(context, tsname);
     return KRB5KRB_AP_ERR_NOT_US;
@@ -225,52 +223,49 @@ iteration_error(krb5_context context, krb5_const_principal server,
     if (!found_server_match) {
         ret = KRB5KRB_AP_ERR_NOKEY;
         if (sname == NULL)  {
-            krb5_set_error_message(context, ret, _("No keys in keytab"));
+            k5_setmsg(context, ret, _("No keys in keytab"));
         } else {
-            krb5_set_error_message(context, ret,
-                                   _("Server principal %s does not match any "
-                                     "keys in keytab"), sname);
+            k5_setmsg(context, ret,
+                      _("Server principal %s does not match any keys in "
+                        "keytab"), sname);
         }
     } else if (tkt_server_mismatch) {
         assert(sname != NULL);  /* Null server princ would match anything. */
         ret = KRB5KRB_AP_ERR_NOT_US;
-        krb5_set_error_message(context, ret,
-                               _("Request ticket server %s found in keytab "
-                                 "but does not match server principal %s"),
-                               tsname, sname);
+        k5_setmsg(context, ret,
+                  _("Request ticket server %s found in keytab but does not "
+                    "match server principal %s"), tsname, sname);
     } else if (!found_tkt_server) {
         ret = KRB5KRB_AP_ERR_NOT_US;
-        krb5_set_error_message(context, ret,
-                               _("Request ticket server %s not found in "
-                                 "keytab (ticket kvno %d)"),
-                               tsname, (int)tkt_kvno);
+        k5_setmsg(context, ret,
+                  _("Request ticket server %s not found in keytab (ticket "
+                    "kvno %d)"), tsname, (int)tkt_kvno);
     } else if (!found_kvno) {
         ret = KRB5KRB_AP_ERR_BADKEYVER;
         if (found_higher_kvno) {
-            krb5_set_error_message(context, ret,
-                                   _("Request ticket server %s kvno %d not "
-                                     "found in keytab; ticket is likely out "
-                                     "of date"), tsname, (int)tkt_kvno);
+            k5_setmsg(context, ret,
+                      _("Request ticket server %s kvno %d not found in "
+                        "keytab; ticket is likely out of date"),
+                      tsname, (int)tkt_kvno);
         } else {
-            krb5_set_error_message(context, ret,
-                                   _("Request ticket server %s kvno %d not "
-                                     "found in keytab; keytab is likely out "
-                                     "of date"), tsname, (int)tkt_kvno);
+            k5_setmsg(context, ret,
+                      _("Request ticket server %s kvno %d not found in "
+                        "keytab; keytab is likely out of date"),
+                      tsname, (int)tkt_kvno);
         }
     } else if (!found_enctype) {
         /* There's no defined error for having the key version but not the
          * enctype. */
         ret = KRB5KRB_AP_ERR_BADKEYVER;
-        krb5_set_error_message(context, ret,
-                               _("Request ticket server %s kvno %d found in "
-                                 "keytab but not with enctype %s"),
-                               tsname, (int)tkt_kvno, encname);
+        k5_setmsg(context, ret,
+                  _("Request ticket server %s kvno %d found in keytab but not "
+                    "with enctype %s"), tsname, (int)tkt_kvno, encname);
     } else {
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-        krb5_set_error_message(context, ret,
-                               _("Request ticket server %s kvno %d enctype %s "
-                                 "found in keytab but cannot decrypt ticket"),
-                               tsname, (int)tkt_kvno, encname);
+        k5_setmsg(context, ret,
+                  _("Request ticket server %s kvno %d enctype %s found in "
+                    "keytab but cannot decrypt ticket"),
+                  tsname, (int)tkt_kvno, encname);
     }
 
     krb5_free_unparsed_name(context, sname);
@@ -905,9 +900,8 @@ negotiate_etype(krb5_context context,
             if (krb5_enctype_to_string(desired_etypes[i],
                                        enctype_name,
                                        sizeof(enctype_name)) == 0)
-                krb5_set_error_message(context, KRB5_NOPERM_ETYPE,
-                                       _("Encryption type %s not permitted"),
-                                       enctype_name);
+                k5_setmsg(context, KRB5_NOPERM_ETYPE,
+                          _("Encryption type %s not permitted"), enctype_name);
             return KRB5_NOPERM_ETYPE;
         }
     }
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index 522fa0c..fa810be 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -153,7 +153,7 @@ main(int argc, char **argv)
     ctx->prompt_types = ptypes;
     check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
     k5_plugin_free_modules(ctx, mods);
-    krb5_set_error_message(ctx, ENOMEM, "nooooooooo");
+    k5_setmsg(ctx, ENOMEM, "nooooooooo");
     krb5_set_trace_callback(ctx, trace, ctx);
 
     /* Copy the intentionally messy context and verify the result. */
diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c
index f14e9ac..144ccc8 100644
--- a/src/lib/krb5/os/expand_path.c
+++ b/src/lib/krb5/os/expand_path.c
@@ -58,9 +58,8 @@ expand_temp_folder(krb5_context context, PTYPE param, const char *postfix,
     size_t len;
 
     if (!GetTempPath(sizeof(tpath) / sizeof(tpath[0]), tpath)) {
-        krb5_set_error_message(context, EINVAL,
-                               "Failed to get temporary path (GLE=%d)",
-                               GetLastError());
+        k5_setmsg(context, EINVAL, "Failed to get temporary path (GLE=%d)",
+                  GetLastError());
         return EINVAL;
     }
 
@@ -167,23 +166,22 @@ expand_userid(krb5_context context, PTYPE param, const char *postfix,
         }
 
         if (le != 0) {
-            krb5_set_error_message(context, rv,
-                                   "Can't open thread token (GLE=%d)", le);
+            k5_setmsg(context, rv, "Can't open thread token (GLE=%d)", le);
             goto cleanup;
         }
     }
 
     if (!GetTokenInformation(hToken, TokenOwner, NULL, 0, &len)) {
         if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
-            krb5_set_error_message(context, rv,
-                                   "Unexpected error reading token "
-                                   "information (GLE=%d)", GetLastError());
+            k5_setmsg(context, rv,
+                      "Unexpected error reading token information (GLE=%d)",
+                      GetLastError());
             goto cleanup;
         }
 
         if (len == 0) {
-            krb5_set_error_message(context, rv, "GetTokenInformation() "
-                                   "returned truncated buffer");
+            k5_setmsg(context, rv,
+                      "GetTokenInformation() returned truncated buffer");
             goto cleanup;
         }
 
@@ -193,20 +191,20 @@ expand_userid(krb5_context context, PTYPE param, const char *postfix,
             goto cleanup;
         }
     } else {
-        krb5_set_error_message(context, rv, "GetTokenInformation() returned "
-                               "truncated buffer");
+        k5_setmsg(context, rv,
+                  "GetTokenInformation() returned truncated buffer");
         goto cleanup;
     }
 
     if (!GetTokenInformation(hToken, TokenOwner, pOwner, len, &len)) {
-        krb5_set_error_message(context, rv, "GetTokenInformation() failed. "
-                               "GLE=%d", GetLastError());
+        k5_setmsg(context, rv,
+                  "GetTokenInformation() failed.  GLE=%d", GetLastError());
         goto cleanup;
     }
 
     if (!ConvertSidToStringSid(pOwner->Owner, &strSid)) {
-        krb5_set_error_message(context, rv, "Can't convert SID to string. "
-                               "GLE=%d", GetLastError());
+        k5_setmsg(context, rv,
+                  "Can't convert SID to string.  GLE=%d", GetLastError());
         goto cleanup;
     }
 
@@ -243,8 +241,7 @@ expand_csidl(krb5_context context, PTYPE folder, const char *postfix,
 
     if (SHGetFolderPath(NULL, folder, NULL, SHGFP_TYPE_CURRENT,
                         path) != S_OK) {
-        krb5_set_error_message(context, EINVAL,
-                               "Unable to determine folder path");
+        k5_setmsg(context, EINVAL, "Unable to determine folder path");
         return EINVAL;
     }
 
@@ -316,9 +313,8 @@ expand_username(krb5_context context, PTYPE param, const char *postfix,
     char pwbuf[BUFSIZ];
 
     if (k5_getpwuid_r(euid, &pwx, pwbuf, sizeof(pwbuf), &pw) != 0) {
-        krb5_set_error_message(context, ENOENT,
-                               _("Can't find username for uid %lu"),
-                               (unsigned long)euid);
+        k5_setmsg(context, ENOENT, _("Can't find username for uid %lu"),
+                  (unsigned long)euid);
         return ENOENT;
     }
     *str = strdup(pw->pw_name);
@@ -406,7 +402,7 @@ expand_token(krb5_context context, const char *token, const char *token_end,
 
     if (token[0] != '%' || token[1] != '{' || token_end[0] != '}' ||
         token_end - token <= 2) {
-        krb5_set_error_message(context, EINVAL, _("Invalid token"));
+        k5_setmsg(context, EINVAL, _("Invalid token"));
         return EINVAL;
     }
 
@@ -422,7 +418,7 @@ expand_token(krb5_context context, const char *token, const char *token_end,
         }
     }
 
-    krb5_set_error_message(context, EINVAL, _("Invalid token"));
+    k5_setmsg(context, EINVAL, _("Invalid token"));
     return EINVAL;
 }
 
@@ -506,7 +502,7 @@ k5_expand_path_tokens_extra(krb5_context context, const char *path_in,
         tok_end = strchr(tok_begin, '}');
         if (tok_end == NULL) {
             ret = EINVAL;
-            krb5_set_error_message(context, ret, _("variable missing }"));
+            k5_setmsg(context, ret, _("variable missing }"));
             goto cleanup;
         }
 
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 1136809..2fade13 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -654,8 +654,8 @@ k5_locate_server(krb5_context context, const krb5_data *realm,
 
     memset(serverlist, 0, sizeof(*serverlist));
     if (realm == NULL || realm->data == NULL || realm->data[0] == 0) {
-        krb5_set_error_message(context, KRB5_REALM_CANT_RESOLVE,
-                               "Cannot find KDC for invalid realm name \"\"");
+        k5_setmsg(context, KRB5_REALM_CANT_RESOLVE,
+                  "Cannot find KDC for invalid realm name \"\"");
         return KRB5_REALM_CANT_RESOLVE;
     }
 
@@ -665,9 +665,9 @@ k5_locate_server(krb5_context context, const krb5_data *realm,
 
     if (serverlist->nservers == 0) {
         k5_free_serverlist(serverlist);
-        krb5_set_error_message(context, KRB5_REALM_UNKNOWN,
-                               _("Cannot find KDC for realm \"%.*s\""),
-                               realm->length, realm->data);
+        k5_setmsg(context, KRB5_REALM_UNKNOWN,
+                  _("Cannot find KDC for realm \"%.*s\""),
+                  realm->length, realm->data);
         return KRB5_REALM_UNKNOWN;
     }
     return 0;
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index f083c0f..a7fa461 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -488,9 +488,9 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
         if (err == KDC_ERR_SVC_UNAVAILABLE) {
             retval = KRB5KDC_ERR_SVC_UNAVAILABLE;
         } else {
-            krb5_set_error_message(context, retval,
-                                   _("Cannot contact any KDC for realm "
-                                     "'%.*s'"), realm->length, realm->data);
+            k5_setmsg(context, retval,
+                      _("Cannot contact any KDC for realm '%.*s'"),
+                      realm->length, realm->data);
         }
     }
     if (retval)
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index 1930d7e..7e3b7e9 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -102,16 +102,15 @@ krb5_rc_io_mkstemp(krb5_context context, krb5_rc_iostuff *d, char *dir)
      */
     retval = fstat(d->fd, &stbuf);
     if (retval) {
-        krb5_set_error_message(context, retval,
-                               _("Cannot fstat replay cache file %s: %s"),
-                               d->fn, strerror(errno));
+        k5_setmsg(context, retval,
+                  _("Cannot fstat replay cache file %s: %s"),
+                  d->fn, strerror(errno));
         return KRB5_RC_IO_UNKNOWN;
     }
     if (stbuf.st_mode & 077) {
-        krb5_set_error_message(context, retval,
-                               _("Insecure mkstemp() file mode for replay "
-                                 "cache file %s; try running this program "
-                                 "with umask 077 "), d->fn);
+        k5_setmsg(context, retval,
+                  _("Insecure mkstemp() file mode for replay cache file %s; "
+                    "try running this program with umask 077"), d->fn);
         return KRB5_RC_IO_UNKNOWN;
     }
 #endif
@@ -141,15 +140,14 @@ rc_map_errno (krb5_context context, int e, const char *fn,
     case EACCES:
     case EROFS:
     case EEXIST:
-        krb5_set_error_message(context, KRB5_RC_IO_PERM,
-                               _("Cannot %s replay cache file %s: %s"),
-                               operation, fn, strerror(e));
+        k5_setmsg(context, KRB5_RC_IO_PERM,
+                  _("Cannot %s replay cache file %s: %s"),
+                  operation, fn, strerror(e));
         return KRB5_RC_IO_PERM;
 
     default:
-        krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
-                               _("Cannot %s replay cache: %s"),
-                               operation, strerror(e));
+        k5_setmsg(context, KRB5_RC_IO_UNKNOWN, _("Cannot %s replay cache: %s"),
+                  operation, strerror(e));
         return KRB5_RC_IO_UNKNOWN;
     }
 }
@@ -261,22 +259,20 @@ krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn,
         || (sb1.st_mode & S_IFMT) != S_IFREG)
     {
         retval = KRB5_RC_IO_PERM;
-        krb5_set_error_message(context, retval,
-                               "rcache not a file %s", d->fn);
+        k5_setmsg(context, retval, "rcache not a file %s", d->fn);
         goto cleanup;
     }
     /* check that non other can read/write/execute the file */
     if (sb1.st_mode & 077) {
-        krb5_set_error_message(context, retval,
-                               _("Insecure file mode for replay cache file "
-                                 "%s"), d->fn);
+        k5_setmsg(context, retval,
+                  _("Insecure file mode for replay cache file %s"), d->fn);
         return KRB5_RC_IO_UNKNOWN;
     }
     /* owned by me */
     if (sb1.st_uid != geteuid()) {
         retval = KRB5_RC_IO_PERM;
-        krb5_set_error_message(context, retval, _("rcache not owned by %d"),
-                               (int)geteuid());
+        k5_setmsg(context, retval, _("rcache not owned by %d"),
+                  (int)geteuid());
         goto cleanup;
     }
 #endif
@@ -398,20 +394,17 @@ krb5_rc_io_write(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
 #endif
         case EFBIG:
         case ENOSPC:
-            krb5_set_error_message (context, KRB5_RC_IO_SPACE,
-                                    _("Can't write to replay cache: %s"),
-                                    strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_SPACE,
+                      _("Can't write to replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_SPACE;
         case EIO:
-            krb5_set_error_message (context, KRB5_RC_IO_IO,
-                                    _("Can't write to replay cache: %s"),
-                                    strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_IO,
+                      _("Can't write to replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_IO;
         case EBADF:
         default:
-            krb5_set_error_message (context, KRB5_RC_IO_UNKNOWN,
-                                    _("Can't write to replay cache: %s"),
-                                    strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_UNKNOWN,
+                      _("Can't write to replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_UNKNOWN;
         }
     return 0;
@@ -431,9 +424,8 @@ krb5_rc_io_sync(krb5_context context, krb5_rc_iostuff *d)
         case EBADF: return KRB5_RC_IO_UNKNOWN;
         case EIO: return KRB5_RC_IO_IO;
         default:
-            krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
-                                   _("Cannot sync replay cache file: %s"),
-                                   strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_UNKNOWN,
+                      _("Cannot sync replay cache file: %s"), strerror(errno));
             return KRB5_RC_IO_UNKNOWN;
         }
     }
@@ -451,9 +443,8 @@ krb5_rc_io_read(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
         case EIO: return KRB5_RC_IO_IO;
         case EBADF:
         default:
-            krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
-                                   _("Can't read from replay cache: %s"),
-                                   strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_UNKNOWN,
+                      _("Can't read from replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_UNKNOWN;
         }
     if (count < 0 || (unsigned int)count != num)
@@ -483,22 +474,19 @@ krb5_rc_io_destroy(krb5_context context, krb5_rc_iostuff *d)
         switch(errno)
         {
         case EIO:
-            krb5_set_error_message(context, KRB5_RC_IO_IO,
-                                   _("Can't destroy replay cache: %s"),
-                                   strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_IO,
+                      _("Can't destroy replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_IO;
         case EPERM:
         case EBUSY:
         case EROFS:
-            krb5_set_error_message(context, KRB5_RC_IO_PERM,
-                                   _("Can't destroy replay cache: %s"),
-                                   strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_PERM,
+                      _("Can't destroy replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_PERM;
         case EBADF:
         default:
-            krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
-                                   _("Can't destroy replay cache: %s"),
-                                   strerror(errno));
+            k5_setmsg(context, KRB5_RC_IO_UNKNOWN,
+                      _("Can't destroy replay cache: %s"), strerror(errno));
             return KRB5_RC_IO_UNKNOWN;
         }
     return 0;
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index b0cd2a5..b2c449f 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -230,9 +230,9 @@ configure_context(krb5_context context, char *conf_section, char **db_args)
             dbc->hashfirst = TRUE;
         } else {
             status = EINVAL;
-            krb5_set_error_message(context, status,
-                                   _("Unsupported argument \"%s\" for db2"),
-                                   opt ? opt : val);
+            k5_setmsg(context, status,
+                      _("Unsupported argument \"%s\" for db2"),
+                      opt ? opt : val);
             goto cleanup;
         }
     }
@@ -813,9 +813,8 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entry,
     krb5_clear_error_message (context);
     if (db_args) {
         /* DB2 does not support db_args DB arguments for principal */
-        krb5_set_error_message(context, EINVAL,
-                               _("Unsupported argument \"%s\" for db2"),
-                               db_args[0]);
+        k5_setmsg(context, EINVAL, _("Unsupported argument \"%s\" for db2"),
+                  db_args[0]);
         return EINVAL;
     }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
index 4e0a9e8..8284f81 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
@@ -215,10 +215,10 @@ has_sasl_external_mech(krb5_context context, char *ldap_server)
                           "supportedSASLMechanisms", "EXTERNAL");
     switch (ret) {
     case 1: /* not supported */
-        krb5_set_error_message(context, 1, "%s", ERR_MSG2);
+        k5_setmsg(context, 1, "%s", ERR_MSG2);
         break;
     case 2: /* don't know */
-        krb5_set_error_message(context, 1, "%s", ERR_MSG1);
+        k5_setmsg(context, 1, "%s", ERR_MSG1);
         break;
     default:
         break;
@@ -298,7 +298,7 @@ int
 set_ldap_error(krb5_context ctx, int st, int op)
 {
     int translated_st = translate_ldap_error(st, op);
-    krb5_set_error_message(ctx, translated_st, "%s", ldap_err2string(st));
+    k5_setmsg(ctx, translated_st, "%s", ldap_err2string(st));
     return translated_st;
 }
 
@@ -309,7 +309,7 @@ prepend_err_str(krb5_context ctx, const char *str, krb5_error_code err,
     const char *omsg;
 
     omsg = krb5_get_error_message(ctx, oerr);
-    krb5_set_error_message(ctx, err, "%s %s", str, omsg);
+    k5_setmsg(ctx, err, "%s %s", str, omsg);
     krb5_free_error_message(ctx, omsg);
 }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index b9f70fd..3ebfb87 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -46,14 +46,13 @@ krb5_validate_ldap_context(krb5_context context,
 
     if (ldap_context->bind_dn == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("LDAP bind dn value missing "));
+        k5_setmsg(context, st, _("LDAP bind dn value missing "));
         goto err_out;
     }
 
     if (ldap_context->bind_pwd == NULL && ldap_context->service_password_file == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("LDAP bind password value missing "));
+        k5_setmsg(context, st, _("LDAP bind password value missing "));
         goto err_out;
     }
 
@@ -71,8 +70,7 @@ krb5_validate_ldap_context(krb5_context context,
     /* NULL password not allowed */
     if (ldap_context->bind_pwd != NULL && strlen(ldap_context->bind_pwd) == 0) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Service password length is zero"));
+        k5_setmsg(context, st, _("Service password length is zero"));
         goto err_out;
     }
 
@@ -113,9 +111,9 @@ krb5_ldap_initialize(krb5_ldap_context *ldap_context,
 
     /* ldap init */
     if ((st = ldap_initialize(&ldap_server_handle->ldap_handle, server_info->server_name)) != 0) {
-        krb5_set_error_message(ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR,
-                               _("Cannot create LDAP handle for '%s': %s"),
-                               server_info->server_name, ldap_err2string(st));
+        k5_setmsg(ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR,
+                  _("Cannot create LDAP handle for '%s': %s"),
+                  server_info->server_name, ldap_err2string(st));
         st = KRB5_KDB_ACCESS_ERROR;
         goto err_out;
     }
@@ -125,10 +123,10 @@ krb5_ldap_initialize(krb5_ldap_context *ldap_context,
         server_info->server_status = ON;
         krb5_update_ldap_handle(ldap_server_handle, server_info);
     } else {
-        krb5_set_error_message(ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR,
-                               _("Cannot bind to LDAP server '%s' as '%s'"
-                                 ": %s"), server_info->server_name,
-                               ldap_context->bind_dn, ldap_err2string(st));
+        k5_setmsg(ldap_context->kcontext, KRB5_KDB_ACCESS_ERROR,
+                  _("Cannot bind to LDAP server '%s' as '%s': %s"),
+                  server_info->server_name, ldap_context->bind_dn,
+                  ldap_err2string(st));
         st = KRB5_KDB_ACCESS_ERROR;
         server_info->server_status = OFF;
         time(&server_info->downtime);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
index 4fcf5a0..9cbde9a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
@@ -128,8 +128,7 @@ cleanup:
         int rc;
         rc = krb5_ldap_delete_krbcontainer(context,
                                            ldap_context->container_dn);
-        krb5_set_error_message(context, rc,
-                               _("could not complete roll-back, error "
+        k5_setmsg(context, rc, _("could not complete roll-back, error "
                                  "deleting Kerberos Container"));
     }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
index 2188b2d..616a7e2 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
@@ -70,7 +70,6 @@ krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle,
             if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) {
                 server_info->server_status = ON;
             } else {
-                /* ?? */        krb5_set_error_message(0, 0, "%s", ldap_err2string(st));
                 server_info->server_status = OFF;
                 time(&server_info->downtime);
             }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
index e3b42f5..4ef7f2e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c
@@ -55,8 +55,7 @@ krb5_ldap_read_krbcontainer_dn(krb5_context context, char **container_dn)
         if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, ldap_context->conf_section,
                                    KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
                                    &dn)) != 0) {
-            krb5_set_error_message(context, st,
-                                   _("Error reading kerberos container "
+            k5_setmsg(context, st, _("Error reading kerberos container "
                                      "location from krb5.conf"));
             goto cleanup;
         }
@@ -67,8 +66,7 @@ krb5_ldap_read_krbcontainer_dn(krb5_context context, char **container_dn)
         if ((st=profile_get_string(context->profile, KDB_MODULE_DEF_SECTION,
                                    KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN, NULL,
                                    NULL, &dn)) != 0) {
-            krb5_set_error_message(context, st,
-                                   _("Error reading kerberos container "
+            k5_setmsg(context, st, _("Error reading kerberos container "
                                      "location from krb5.conf"));
             goto cleanup;
         }
@@ -76,8 +74,7 @@ krb5_ldap_read_krbcontainer_dn(krb5_context context, char **container_dn)
 
     if (dn == NULL) {
         st = KRB5_KDB_SERVER_INTERNAL_ERR;
-        krb5_set_error_message(context, st,
-                               _("Kerberos container location not specified"));
+        k5_setmsg(context, st, _("Kerberos container location not specified"));
         goto cleanup;
     }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 8776ab5..8d72832 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -84,8 +84,8 @@ prof_get_integer_def(krb5_context ctx, const char *conf_section,
                                KDB_MODULE_SECTION, conf_section, name,
                                0, &out_temp);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     if (out_temp != 0) {
@@ -96,8 +96,8 @@ prof_get_integer_def(krb5_context ctx, const char *conf_section,
                                KDB_MODULE_DEF_SECTION, name, 0,
                                dfl, &out_temp);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     *out = out_temp;
@@ -116,8 +116,8 @@ prof_get_boolean_def(krb5_context ctx, const char *conf_section,
     err = profile_get_boolean(ctx->profile, KDB_MODULE_SECTION, conf_section,
                               name, -1, &out_temp);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     if (out_temp != -1) {
@@ -127,8 +127,8 @@ prof_get_boolean_def(krb5_context ctx, const char *conf_section,
     err = profile_get_boolean(ctx->profile, KDB_MODULE_DEF_SECTION, name, 0,
                               dfl, &out_temp);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     *out = out_temp;
@@ -147,8 +147,8 @@ prof_get_string_def(krb5_context ctx, const char *conf_section,
                               KDB_MODULE_SECTION, conf_section, name,
                               0, out);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     if (*out != 0)
@@ -157,8 +157,8 @@ prof_get_string_def(krb5_context ctx, const char *conf_section,
                               KDB_MODULE_DEF_SECTION, name, 0,
                               0, out);
     if (err) {
-        krb5_set_error_message(ctx, err, _("Error reading '%s' attribute: %s"),
-                               name, error_message(err));
+        k5_setmsg(ctx, err, _("Error reading '%s' attribute: %s"), name,
+                  error_message(err));
         return err;
     }
     return 0;
@@ -248,15 +248,14 @@ krb5_ldap_parse_db_params(krb5_context context, char **db_args)
             /* "temporary" is passed by kdb5_util load without -update,
              * which we don't support. */
             status = EINVAL;
-            krb5_set_error_message(context, status,
-                                   _("KDB module requires -update argument"));
+            k5_setmsg(context, status,
+                      _("KDB module requires -update argument"));
             goto cleanup;
         }
 
         if (val == NULL) {
             status = EINVAL;
-            krb5_set_error_message(context, status, _("'%s' value missing"),
-                                   opt);
+            k5_setmsg(context, status, _("'%s' value missing"), opt);
             goto cleanup;
         }
 
@@ -286,8 +285,7 @@ krb5_ldap_parse_db_params(krb5_context context, char **db_args)
             lctx->ldap_debug = atoi(val);
         } else {
             status = EINVAL;
-            krb5_set_error_message(context, status, _("unknown option '%s'"),
-                                   opt);
+            k5_setmsg(context, status, _("unknown option '%s'"), opt);
             goto cleanup;
         }
 
@@ -359,8 +357,8 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
 
     if (ldap_context->max_server_conns < 2) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("Minimum connections required "
-                                              "per server is 2"));
+        k5_setmsg(context, st,
+                  _("Minimum connections required per server is 2"));
         goto cleanup;
     }
 
@@ -406,8 +404,8 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
     if (ldap_context->server_info_list == NULL) {
         if ((st=profile_get_string(context->profile, KDB_MODULE_SECTION, conf_section,
                                    KRB5_CONF_LDAP_SERVERS, NULL, &tempval)) != 0) {
-            krb5_set_error_message(context, st, _("Error reading "
-                                                  "'ldap_servers' attribute"));
+            k5_setmsg(context, st,
+                      _("Error reading 'ldap_servers' attribute"));
             goto cleanup;
         }
 
@@ -1327,7 +1325,7 @@ krb5_error_code
 krb5_ldap_lock(krb5_context kcontext, int mode)
 {
     krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
-    krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
+    k5_setmsg(kcontext, status, "LDAP %s", error_message(status));
     return status;
 }
 
@@ -1335,7 +1333,7 @@ krb5_error_code
 krb5_ldap_unlock(krb5_context kcontext)
 {
     krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
-    krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
+    k5_setmsg(kcontext, status, "LDAP %s", error_message(status));
     return status;
 }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index 47ba5f0..81d5cba 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -156,7 +156,7 @@ krb5_ldap_iterate(krb5_context context, char *match_expr,
         realm = context->default_realm;
         if (realm == NULL) {
             st = EINVAL;
-            krb5_set_error_message(context, st, _("Default realm not set"));
+            k5_setmsg(context, st, _("Default realm not set"));
             goto cleanup;
         }
     }
@@ -256,7 +256,7 @@ krb5_ldap_delete_principal(krb5_context context,
 
     if (DN == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("DN information missing"));
+        k5_setmsg(context, st, _("DN information missing"));
         goto cleanup;
     }
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index c30599e..0070273 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -105,8 +105,7 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
 
     if (is_principal_in_realm(ldap_context, searchfor) != 0) {
         st = KRB5_KDB_NOENTRY;
-        krb5_set_error_message(context, st,
-                               _("Principal does not belong to realm"));
+        k5_setmsg(context, st, _("Principal does not belong to realm"));
         goto cleanup;
     }
 
@@ -276,9 +275,8 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
                         xargs->dn != NULL || xargs->containerdn != NULL ||
                         xargs->linkdn != NULL) {
                         st = EINVAL;
-                        krb5_set_error_message(context, st,
-                                               _("%s option not supported"),
-                                               arg);
+                        k5_setmsg(context, st, _("%s option not supported"),
+                                  arg);
                         goto cleanup;
                     }
                     dptr = &xargs->dn;
@@ -286,41 +284,36 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
                     if (optype == MODIFY_PRINCIPAL ||
                         xargs->dn != NULL || xargs->containerdn != NULL) {
                         st = EINVAL;
-                        krb5_set_error_message(context, st,
-                                               _("%s option not supported"),
-                                               arg);
+                        k5_setmsg(context, st, _("%s option not supported"),
+                                  arg);
                         goto cleanup;
                     }
                     dptr = &xargs->containerdn;
                 } else if (strcmp(arg, LINKDN_ARG) == 0) {
                     if (xargs->dn != NULL || xargs->linkdn != NULL) {
                         st = EINVAL;
-                        krb5_set_error_message(context, st,
-                                               _("%s option not supported"),
-                                               arg);
+                        k5_setmsg(context, st, _("%s option not supported"),
+                                  arg);
                         goto cleanup;
                     }
                     dptr = &xargs->linkdn;
                 } else {
                     st = EINVAL;
-                    krb5_set_error_message(context, st,
-                                           _("unknown option: %s"), arg);
+                    k5_setmsg(context, st, _("unknown option: %s"), arg);
                     goto cleanup;
                 }
 
                 xargs->dn_from_kbd = TRUE;
                 if (arg_val == NULL || strlen(arg_val) == 0) {
                     st = EINVAL;
-                    krb5_set_error_message(context, st,
-                                           _("%s option value missing"), arg);
+                    k5_setmsg(context, st, _("%s option value missing"), arg);
                     goto cleanup;
                 }
             }
 
             if (arg_val == NULL) {
                 st = EINVAL;
-                krb5_set_error_message(context, st,
-                                       _("%s option value missing"), arg);
+                k5_setmsg(context, st, _("%s option value missing"), arg);
                 goto cleanup;
             }
             arg_val_len = strlen(arg_val) + 1;
@@ -522,8 +515,8 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
 
     if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("Principal does not belong to "
-                                              "the default realm"));
+        k5_setmsg(context, st,
+                  _("Principal does not belong to the default realm"));
         goto cleanup;
     }
 
@@ -592,11 +585,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
                     ldap_msgfree(result);
                     free(filter);
                     st = EINVAL;
-                    krb5_set_error_message(context, st,
-                                           _("operation can not continue, "
-                                             "more than one entry with "
-                                             "principal name \"%s\" found"),
-                                           user);
+                    k5_setmsg(context, st,
+                              _("operation can not continue, more than one "
+                                "entry with principal name \"%s\" found"),
+                              user);
                     goto cleanup;
                 } else if (numlentries == 1) {
                     found_entry = TRUE;
@@ -739,8 +731,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
 
         if (outofsubtree == TRUE) {
             st = EINVAL;
-            krb5_set_error_message(context, st,
-                                   _("DN is out of the realm subtree"));
+            k5_setmsg(context, st, _("DN is out of the realm subtree"));
             goto cleanup;
         }
 
@@ -796,7 +787,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
         st = EINVAL;
         snprintf(errbuf, sizeof(errbuf),
                  _("ldap object is already kerberized"));
-        krb5_set_error_message(context, st, "%s", errbuf);
+        k5_setmsg(context, st, "%s", errbuf);
         goto cleanup;
     }
 
@@ -817,7 +808,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
             snprintf(errbuf, sizeof(errbuf),
                      _("link information can not be set/updated as the "
                        "kerberos principal belongs to an ldap object"));
-            krb5_set_error_message(context, st, "%s", errbuf);
+            k5_setmsg(context, st, "%s", errbuf);
             goto cleanup;
         }
         /*
@@ -831,7 +822,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
             if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
                 snprintf(errbuf, sizeof(errbuf),
                          _("Failed getting object references"));
-                krb5_set_error_message(context, st, "%s", errbuf);
+                k5_setmsg(context, st, "%s", errbuf);
                 goto cleanup;
             }
             if (linkdns != NULL) {
@@ -839,7 +830,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
                 snprintf(errbuf, sizeof(errbuf),
                          _("kerberos principal is already linked to a ldap "
                            "object"));
-                krb5_set_error_message(context, st, "%s", errbuf);
+                k5_setmsg(context, st, "%s", errbuf);
                 for (j=0; linkdns[j] != NULL; ++j)
                     free (linkdns[j]);
                 free (linkdns);
@@ -1001,7 +992,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
                 goto cleanup;
         } else {
             st = EINVAL;
-            krb5_set_error_message(context, st, "Password policy value null");
+            k5_setmsg(context, st, "Password policy value null");
             goto cleanup;
         }
     } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
@@ -1196,7 +1187,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
                          _("Principal delete failed (trying to replace "
                            "entry): %s"), ldap_err2string(st));
                 st = translate_ldap_error (st, OP_ADD);
-                krb5_set_error_message(context, st, "%s", errbuf);
+                k5_setmsg(context, st, "%s", errbuf);
                 goto cleanup;
             } else {
                 st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
@@ -1206,7 +1197,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
             snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"),
                      ldap_err2string(st));
             st = translate_ldap_error (st, OP_ADD);
-            krb5_set_error_message(context, st, "%s", errbuf);
+            k5_setmsg(context, st, "%s", errbuf);
             goto cleanup;
         }
     } else {
@@ -1244,7 +1235,7 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
             snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"),
                      ldap_err2string(st));
             st = translate_ldap_error (st, OP_MOD);
-            krb5_set_error_message(context, st, "%s", errbuf);
+            k5_setmsg(context, st, "%s", errbuf);
             goto cleanup;
         }
 
@@ -1373,9 +1364,9 @@ krb5_decode_krbsecretkey(krb5_context context, krb5_db_entry *entries,
         if (st != 0) {
             const char *msg = error_message(st);
             st = -1; /* Something more appropriate ? */
-            krb5_set_error_message(context, st, _("unable to decode stored "
-                                                  "principal key data (%s)"),
-                                   msg);
+            k5_setmsg(context, st,
+                      _("unable to decode stored principal key data (%s)"),
+                      msg);
             goto cleanup;
         }
         noofkeys += n_kd;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
index 032be6f..086c458 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c
@@ -220,8 +220,7 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm)
 
     if (lrealm == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Realm information not available"));
+        k5_setmsg(context, st, _("Realm information not available"));
         goto cleanup;
     }
 
@@ -306,8 +305,8 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm)
     if ((st=ldap_delete_ext_s(ld, ldap_context->lrparams->realmdn, NULL, NULL)) != LDAP_SUCCESS) {
         int ost = st;
         st = translate_ldap_error (st, OP_DEL);
-        krb5_set_error_message(context, st, _("Realm Delete FAILED: %s"),
-                               ldap_err2string(ost));
+        k5_setmsg(context, st, _("Realm Delete FAILED: %s"),
+                  ldap_err2string(ost));
     }
 
 cleanup:
@@ -480,8 +479,7 @@ krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
 
     if (dn == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Kerberos Container information is missing"));
+        k5_setmsg(context, st, _("Kerberos Container information is missing"));
         goto cleanup;
     }
 
@@ -493,8 +491,7 @@ krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
     rdns = ldap_explode_dn(dn, 1);
     if (rdns == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Invalid Kerberos container DN"));
+        k5_setmsg(context, st, _("Invalid Kerberos container DN"));
         goto cleanup;
     }
 
@@ -510,9 +507,8 @@ krb5_ldap_create_krbcontainer(krb5_context context, const char *dn)
     if (st != LDAP_SUCCESS) {
         int ost = st;
         st = translate_ldap_error (st, OP_ADD);
-        krb5_set_error_message(context, st,
-                               _("Kerberos Container create FAILED: %s"),
-                               ldap_err2string(ost));
+        k5_setmsg(context, st, _("Kerberos Container create FAILED: %s"),
+                  ldap_err2string(ost));
         goto cleanup;
     }
 
@@ -546,8 +542,7 @@ krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn)
 
     if (dn == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Kerberos Container information is missing"));
+        k5_setmsg(context, st, _("Kerberos Container information is missing"));
         goto cleanup;
     }
 
@@ -555,9 +550,8 @@ krb5_ldap_delete_krbcontainer(krb5_context context, const char *dn)
     if ((st = ldap_delete_ext_s(ld, dn, NULL, NULL)) != LDAP_SUCCESS) {
         int ost = st;
         st = translate_ldap_error (st, OP_ADD);
-        krb5_set_error_message(context, st,
-                               _("Kerberos Container delete FAILED: %s"),
-                               ldap_err2string(ost));
+        k5_setmsg(context, st, _("Kerberos Container delete FAILED: %s"),
+                  ldap_err2string(ost));
         goto cleanup;
     }
 
@@ -923,6 +917,6 @@ krb5_ldap_delete_realm_1(krb5_context kcontext, char *conf_section,
                          char **db_args)
 {
     krb5_error_code status = KRB5_PLUGIN_OP_NOTSUPP;
-    krb5_set_error_message(kcontext, status, "LDAP %s", error_message(status));
+    k5_setmsg(kcontext, status, "LDAP %s", error_message(status));
     return status;
 }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
index 32e2af0..36e6d59 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c
@@ -46,15 +46,14 @@ dec_password(krb5_context context, const char *str,
     *password_out = NULL;
 
     if (strncmp(str, "{HEX}", 5) != 0) {
-        krb5_set_error_message(context, EINVAL,
-                               _("Not a hexadecimal password"));
+        k5_setmsg(context, EINVAL, _("Not a hexadecimal password"));
         return EINVAL;
     }
     str += 5;
 
     len = strlen(str);
     if (len % 2 != 0) {
-        krb5_set_error_message(context, EINVAL, _("Password corrupt"));
+        k5_setmsg(context, EINVAL, _("Password corrupt"));
         return EINVAL;
     }
 
@@ -65,7 +64,7 @@ dec_password(krb5_context context, const char *str,
     for (p = (unsigned char *)str; *p != '\0'; p += 2) {
         if (!isxdigit(*p) || !isxdigit(p[1])) {
             free(password);
-            krb5_set_error_message(context, EINVAL, _("Password corrupt"));
+            k5_setmsg(context, EINVAL, _("Password corrupt"));
             return EINVAL;
         }
         sscanf((char *)p, "%2x", &k);
@@ -99,9 +98,8 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
     fptr = fopen(file, "r");
     if (fptr == NULL) {
         st = errno;
-        krb5_set_error_message(context, st,
-                               _("Cannot open LDAP password file '%s': %s"),
-                               file, error_message(st));
+        k5_setmsg(context, st, _("Cannot open LDAP password file '%s': %s"),
+                  file, error_message(st));
         goto rp_exit;
     }
     set_cloexec_file(fptr);
@@ -129,9 +127,9 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
 
     if (entryfound == 0)  {
         st = KRB5_KDB_SERVER_INTERNAL_ERR;
-        krb5_set_error_message(context, st, _("Bind DN entry '%s' missing in "
-                                              "LDAP password file '%s'"),
-                               ldap_context->bind_dn, file);
+        k5_setmsg(context, st,
+                  _("Bind DN entry '%s' missing in LDAP password file '%s'"),
+                  ldap_context->bind_dn, file);
         goto rp_exit;
     }
     /* replace the \n with \0 */
@@ -143,7 +141,7 @@ krb5_ldap_readpassword(krb5_context context, krb5_ldap_context *ldap_context,
     if (start == NULL) {
         /* password field missing */
         st = KRB5_KDB_SERVER_INTERNAL_ERR;
-        krb5_set_error_message(context, st, _("Stash file entry corrupt"));
+        k5_setmsg(context, st, _("Stash file entry corrupt"));
         goto rp_exit;
     }
     ++ start;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
index 99b5401..5fe3164 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c
@@ -53,7 +53,7 @@ krb5_ldap_create_policy(krb5_context context, krb5_ldap_policy_params *policy,
     /* validate the input parameters */
     if (policy == NULL || policy->policy == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("Ticket Policy Name missing"));
+        k5_setmsg(context, st, _("Ticket Policy Name missing"));
         goto cleanup;
     }
 
@@ -129,7 +129,7 @@ krb5_ldap_modify_policy(krb5_context context, krb5_ldap_policy_params *policy,
     /* validate the input parameters */
     if (policy == NULL || policy->policy==NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st, _("Ticket Policy Name missing"));
+        k5_setmsg(context, st, _("Ticket Policy Name missing"));
         goto cleanup;
     }
 
@@ -206,8 +206,7 @@ krb5_ldap_read_policy(krb5_context context, char *policyname,
     /* validate the input parameters */
     if (policyname == NULL  || policy == NULL) {
         st = EINVAL;
-        krb5_set_error_message(context, st,
-                               _("Ticket Policy Object information missing"));
+        k5_setmsg(context, st, _("Ticket Policy Object information missing"));
         goto cleanup;
     }
 
diff --git a/src/plugins/preauth/securid_sam2/securid2.c b/src/plugins/preauth/securid_sam2/securid2.c
index e3c8c7d..ca99ce3 100644
--- a/src/plugins/preauth/securid_sam2/securid2.c
+++ b/src/plugins/preauth/securid_sam2/securid2.c
@@ -306,9 +306,9 @@ verify_securid_data_2(krb5_context context, krb5_db_entry *client,
     if ((sr2->sam_enc_nonce_or_sad.ciphertext.data == NULL) ||
         (sr2->sam_enc_nonce_or_sad.ciphertext.length <= 0)) {
         retval = KRB5KDC_ERR_PREAUTH_FAILED;
-        krb5_set_error_message(context, retval,
-                               "No preauth data supplied in "
-                               "verify_securid_data_2 (%s)", user);
+        k5_setmsg(context, retval,
+                  "No preauth data supplied in verify_securid_data_2 (%s)",
+                  user);
         goto cleanup;
     }
 


More information about the cvs-krb5 mailing list