[krbdev.mit.edu #8222] krb5_init_creds_get_error() cannot retrieve most intermediate errors
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun Jul 26 10:44:08 EDT 2015
krb5_init_creds_get_error() is patterned after a similar Heimdal
interface (although Heimdal uses a different type to represent KRB-
ERROR messages) and is documented to "get the last error from KDC
from an initial credentials context." Although the precise semantics
are not clear, the implication (as well as the Heimdal behavior) is
that it should work to retrieve intermediate errors during a
krb5_init_creds_step() sequence, as well as to retrieve the final
error after the exchange is complete.
The current implementation does not allow most intermediate errors to
be retrieved. This is because ctx->err_reply has two purposes: it is
used by krb5_init_creds_get_error(), and is also used by
init_creds_step_request() to decide whether to try regular pre-
authentication or "try again with an error" pre-authentication.
Because of that, ctx->err_reply is discarded whenever an error should
result in regular pre-authentication; this includes PREAUTH_REQUIRED
and MORE_PREAUTH_DATA_ERROR_REQUIERD errors, realm referrals, and
negotiation restarts.
More information about the krb5-bugs
mailing list