On Thu, 2014-04-17 at 21:17 +0200, Jakub Hrozek wrote:
On Thu, Apr 17, 2014 at 01:39:23PM +0200, Pavel Reichl wrote:
> Hello,
>
> please see attached patch.
>
> Thanks.
>
> Pavel Reichl
> From 92ba71350e7013c67718d4987da5afd4492615e7 Mon Sep 17 00:00:00 2001
> From: Pavel Reichl <preichl(a)redhat.com>
> Date: Thu, 17 Apr 2014 12:31:17 +0000
> Subject: [PATCH] KRB5: Go offline in case of generic error
>
> Resolves:
>
https://fedorahosted.org/sssd/ticket/2313
> ---
> src/providers/krb5/krb5_child.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
> index
81f86bbe843c90f22aa406dee4b619c843c2b5ee..0980c7c45d0fe872ca3ca0d1f8b2a0aa0ab86f87 100644
> --- a/src/providers/krb5/krb5_child.c
> +++ b/src/providers/krb5/krb5_child.c
> @@ -1049,6 +1049,7 @@ static errno_t map_krb5_error(krb5_error_code kerr)
> case KRB5_LIBOS_CANTREADPWD:
> return ERR_NO_CREDS;
>
> + case KRB5KRB_ERR_GENERIC:
> case KRB5KRB_AP_ERR_SKEW:
> case KRB5_KDC_UNREACH:
> case KRB5_REALM_CANT_RESOLVE:
> --
> 1.8.4.2
>
The patch itself is OK. Because I'm not a Kerberos expert myself, I
would like to check with Simo before pushing the patch.
I think the patch is ok.
My only fear is that we might be hiding deliberate errors. I did a
quick
grep of the krb5 1.11 codebase, but I can't say I understand it all..
Well, keep in mind that, technically, kerberos error codes can be
tampered with. As for loosing important messages that is unlikely with a
'generic' error.
Simo.