Report shadowed error code in decrypt_ticket?

[Greg Hudson]

On 06/11/2013 11:41 AM, Jan-Marek Glogowski wrote:
> The following question came to my mind: Can there be multiple keys with
> the same encryption type and matching principal in the same keytab?

Absolutely.  The server argument might even be NULL, in which case
krb5_sname_match() will always return true.

> If there might be multiple matches, the alternative second patch would
> catch the last error from try_one_entry, which might be more helpful
> then the current situation.

That would have the unfortunate side effect of turning legitimate
wrong-principal errors into KRB5KRB_AP_ERR_BAD_INTEGRITY errors.

The current error handling does make it hard to disagnose a number of
server misconfigurations.  This one is pretty easy to detect at a higher
layer (if req->ticket->enc_part.enctype isn't valid or permitted, return
an error before even looking at the keytab), but some others are
trickier, such as an out-of-date keytab.