On Thu, Apr 17, 2014 at 01:39:23PM +0200, Pavel Reichl wrote:
Hello,
please see attached patch.
Thanks.
Pavel Reichl
From 92ba71350e7013c67718d4987da5afd4492615e7 Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Thu, 17 Apr 2014 12:31:17 +0000
Subject: [PATCH] KRB5: Go offline in case of generic error
Resolves:
https://fedorahosted.org/sssd/ticket/2313
---
src/providers/krb5/krb5_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 81f86bbe843c90f22aa406dee4b619c843c2b5ee..0980c7c45d0fe872ca3ca0d1f8b2a0aa0ab86f87
100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1049,6 +1049,7 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5_LIBOS_CANTREADPWD:
return ERR_NO_CREDS;
+ case KRB5KRB_ERR_GENERIC:
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDC_UNREACH:
case KRB5_REALM_CANT_RESOLVE:
--
1.8.4.2
The patch itself is OK. Because I'm not a Kerberos expert myself, I
would like to check with Simo before pushing the patch.
My only fear is that we might be hiding deliberate errors. I did a quick
grep of the krb5 1.11 codebase, but I can't say I understand it all..