On Thu, Oct 05, 2017 at 10:37:26AM +0200, Harald Barth wrote: > I'm currently looking at why kinit can not give a decent error message > on the easy fact that a credential has expired. Well, now with 7.4.0 > it handles "password expired" but "principal expired" still gives: > > kinit: krb5_get_init_creds: No ENC-TS found > > which is very broken from a user support group view. I tracked this > down to the call in kinit.c line 673 which gets handled by the > default: in the following switch(ret) with ret=-1765328383 Is that > KRB5KDC_ERR_NAME_EXP - but how does that get translated to "No ENC-TS > found"?
Oh, yeah, that's lame. > Questions: > > 1. How do I get the list of all KRB5KDC_ERR_* values and where are > these defined? The *.et files define them. KRB5KDC_ERR_* errors come from RFC4120 and related RFCs, but in the source tree they are defined in *.et files. > 2. What possible error values can come back from krb5_init_creds_get() > and how to deal with them better? We don't have an exhaustive list. Does MIT? But whatever the case, these errors should always come with a user-meaningful error message. So let's improve this. > 3. Should the error handling and generation of the error string be in > this switch() or should it be by some krb5_error_something function? krb5_get_init_creds_*() should definitely set appropriate error messages, however, kinit probably does need to remap them or add additional text (mostly prefixes). Nico --