[krbdev.mit.edu #5555] Addition of krb5_get_init_creds_opt_get_error and krb5_copy_error
Public Submitter via RT
rt-comment at krbdev.mit.edu
Tue May 8 08:17:41 EDT 2007
Hello,
attached is a patch that adds two new krb5_* calls:
krb5_get_init_creds_opt_get_error() and krb5_copy_error(). These two
calls already exist in Heimdal Kerberos (since version 0.8).
The reason for adding these calls is to enable the caller to retrieve
the full krb5_error packet after a failed AS-REQ from a Windows KDC.
Windows KDCs add extended 32bit NTSTATUS codes into the krb5_error edata
as a KRB5_PADATA_PW_SALT. (see here:
http://marc.info/?l=samba-technical&m=114263219025559&w=2) to transport
more fine-grained error conditions (e.g. based on Windows account
restrictions).
Having access to these NTSTATUS codes is extremely valuable for Samba as
a krb5 client, notably for the error handling in the kerberized
pam_winbind module where it used currently when the system krb5 library
(currently only Heimdal > 0.8) offers it.
Can these calls be added to MIT kerberos? The patch is against MIT
kerberos 1.6.1 and has been valgrinded and tested on fedora core 6 x86_64.
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
More information about the krb5-bugs
mailing list