Getting the right error code in tryagain client pre-auth interface
Greg Hudson
ghudson at MIT.EDU
Mon Aug 6 11:22:51 EDT 2012
On 08/06/2012 06:11 AM, Alejandro Perez Mendez wrote:
> Thus, I cannot use that constant to check the error->error value in the
> "tryagain" callback, since that parameter takes the 91 value, not the
> -1765328293L one.
>
> Is this an error, and the error->error value should be -1765328293L, or
> should I "preprocess" the value to make it match the one in the #define?
Kerberos protocol error codes are small integers. Within the krb5 code
base, we map those into a larger, structured error number space (using
com_err) so that we can have a single integer type which expresses
system errors, library errors, and protocol errors.
It's not a bug that error->error is a Kerberos protocol error code,
since the krb5_error structure is intended to represent a Kerberos
protocol data unit, but it does mean that you won't be able to use a
com_err value when checking this field. Within the krb5 tree, we have
internal constants defined in k5-int.h like:
#define KRB_AP_ERR_BAD_INTEGRITY 31
I suggest defining something along similar lines for your plugin module.
More information about the krbdev
mailing list