Getting the right error code in tryagain client pre-auth interface
Alejandro Perez Mendez
alex at um.es
Mon Aug 6 13:48:24 EDT 2012
El 06/08/12 16:22, Greg Hudson escribió:
> On 08/06/2012 06:11 AM, Alejandro Perez Mendez wrote:
>> Thus, I cannot use that constant to check the error->error value in the
>> "tryagain" callback, since that parameter takes the 91 value, not the
>> -1765328293L one.
>>
>> Is this an error, and the error->error value should be -1765328293L, or
>> should I "preprocess" the value to make it match the one in the #define?
> Kerberos protocol error codes are small integers. Within the krb5 code
> base, we map those into a larger, structured error number space (using
> com_err) so that we can have a single integer type which expresses
> system errors, library errors, and protocol errors.
>
> It's not a bug that error->error is a Kerberos protocol error code,
> since the krb5_error structure is intended to represent a Kerberos
> protocol data unit, but it does mean that you won't be able to use a
> com_err value when checking this field. Within the krb5 tree, we have
> internal constants defined in k5-int.h like:
>
> #define KRB_AP_ERR_BAD_INTEGRITY 31
>
> I suggest defining something along similar lines for your plugin module.
>
Hi Greg,
thanks for the answer. I didn't notice that definitions. Then including
#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91
in the k5-int.h file would do it. I will do it in my branch, so I could
be merged later.
Regards,
Alejandro
More information about the krbdev
mailing list