I'm currently looking at why kinit can not give a decent error message on the easy fact that a credential has expired. Well, now with 7.4.0 it handles "password expired" but "principal expired" still gives:
kinit: krb5_get_init_creds: No ENC-TS found which is very broken from a user support group view. I tracked this down to the call in kinit.c line 673 which gets handled by the default: in the following switch(ret) with ret=-1765328383 Is that KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS found"? ---- ret = krb5_init_creds_get(context, ctx); #ifndef NO_NTLM if (ntlm_domain && passwd[0]) heim_ntlm_nt_key(passwd, &ntlmkey); #endif memset(passwd, 0, sizeof(passwd)); switch(ret){ case 0: break; case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */ exit(1); case KRB5KRB_AP_ERR_BAD_INTEGRITY: case KRB5KRB_AP_ERR_MODIFIED: case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5_GET_IN_TKT_LOOP: krb5_warnx(context, N_("Password incorrect", "")); goto out; case KRB5KRB_AP_ERR_V4_REPLY: krb5_warnx(context, N_("Looks like a Kerberos 4 reply", "")); goto out; case KRB5KDC_ERR_KEY_EXPIRED: krb5_warnx(context, N_("Password expired", "")); goto out; default: krb5_warn(context, ret, "krb5_get_init_creds"); goto out; } --- Questions: 1. How do I get the list of all KRB5KDC_ERR_* values and where are these defined? 2. What possible error values can come back from krb5_init_creds_get() and how to deal with them better? 3. Should the error handling and generation of the error string be in this switch() or should it be by some krb5_error_something function? Harald.