Getting the right error code in tryagain client pre-auth interface

Greg Hudson ghudson at MIT.EDU
Mon Aug 6 11:22:51 EDT 2012

On 08/06/2012 06:11 AM, Alejandro Perez Mendez wrote:
> Thus, I cannot use that constant to check the error->error value in the 
> "tryagain" callback, since that parameter takes the 91 value, not the 
> -1765328293L one.
> Is this an error, and the error->error value should be -1765328293L, or 
> should I "preprocess" the value to make it match the one in the #define?

Kerberos protocol error codes are small integers.  Within the krb5 code
base, we map those into a larger, structured error number space (using
com_err) so that we can have a single integer type which expresses
system errors, library errors, and protocol errors.

It's not a bug that error->error is a Kerberos protocol error code,
since the krb5_error structure is intended to represent a Kerberos
protocol data unit, but it does mean that you won't be able to use a
com_err value when checking this field.  Within the krb5 tree, we have
internal constants defined in k5-int.h like:


I suggest defining something along similar lines for your plugin module.

More information about the krbdev mailing list