s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code

instead of an NT status code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/kdc/db-glue.c

@@ -1484,12 +1484,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		 * and computers should never be members of Protected Users, or
 		 * they may fail to authenticate.
 		 */
-		status = samba_kdc_get_user_info_from_db(tmp_ctx,
-							 p,
-							 msg,
-							 &user_info_dc);
-		if (!NT_STATUS_IS_OK(status)) {
-			ret = EINVAL;
+		ret = samba_kdc_get_user_info_from_db(tmp_ctx,
+						      p,
+						      msg,
+						      &user_info_dc);
+		if (ret) {
 			goto out;
 		}
 

source4/kdc/mit_samba.c

@@ -484,17 +484,13 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		cred_ndr_ptr = &cred_ndr;
 	}
 
-	nt_status = samba_kdc_get_user_info_from_db(tmp_ctx,
-						    skdc_entry,
-						    skdc_entry->msg,
-						    &user_info_dc);
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	code = samba_kdc_get_user_info_from_db(tmp_ctx,
+					       skdc_entry,
+					       skdc_entry->msg,
+					       &user_info_dc);
+	if (code) {
 		talloc_free(tmp_ctx);
-		if (NT_STATUS_EQUAL(nt_status,
-				    NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
-			return ENOENT;
-		}
-		return EINVAL;
+		return code;
 	}
 
 	nt_status = samba_kdc_add_asserted_identity(asserted_identity,
@@ -917,14 +913,16 @@ krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
 		return ENOMEM;
 	}
 
-	status = samba_kdc_get_user_info_from_db(tmp_ctx,
-						 p,
-						 p->msg,
-						 &user_info_dc);
-	if (!NT_STATUS_IS_OK(status)) {
+	code = samba_kdc_get_user_info_from_db(tmp_ctx,
+					       p,
+					       p->msg,
+					       &user_info_dc);
+	if (code) {
+		const char *krb5err = krb5_get_error_message(ctx->context, code);
 		DBG_WARNING("samba_kdc_get_user_info_from_db failed: %s\n",
-			    nt_errstr(status));
-		code = EINVAL;
+			krb5err != NULL ? krb5err : "<unknown>");
+		krb5_free_error_message(ctx->context, krb5err);
+
 		goto out;
 	}
 

source4/kdc/pac-glue.c

@@ -1118,10 +1118,10 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
-					 struct samba_kdc_entry *entry,
-					 const struct ldb_message *msg,
-					 struct auth_user_info_dc **info_out)
+krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
+						struct samba_kdc_entry *entry,
+						const struct ldb_message *msg,
+						struct auth_user_info_dc **info_out)
 {
 	NTSTATUS nt_status;
 	struct auth_user_info_dc *user_info_dc = NULL;
@@ -1142,7 +1142,8 @@ NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("Getting user info for PAC failed: %s\n",
 				nt_errstr(nt_status));
-			return nt_status;
+			/* NT_STATUS_OBJECT_NAME_NOT_FOUND is mapped to ENOENT. */
+			return map_errno_from_nt_status(nt_status);
 		}
 	}
 
@@ -1151,12 +1152,12 @@ NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n",
 			nt_errstr(nt_status));
-		return nt_status;
+		return map_errno_from_nt_status(nt_status);
 	}
 
 	*info_out = user_info_dc;
 
-	return NT_STATUS_OK;
+	return 0;
 }
 
 static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
@@ -1236,13 +1237,16 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
 		 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
 		 * here.
 		 */
-		nt_status = samba_kdc_get_user_info_from_db(mem_ctx,
-							    entry.entry,
-							    entry.entry->msg,
-							    &user_info_dc);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
-				nt_errstr(nt_status));
+		ret = samba_kdc_get_user_info_from_db(mem_ctx,
+						      entry.entry,
+						      entry.entry->msg,
+						      &user_info_dc);
+		if (ret) {
+			const char *krb5err = krb5_get_error_message(context, ret);
+			DBG_ERR("samba_kdc_get_user_info_from_db: %s\n",
+				krb5err != NULL ? krb5err : "?");
+			krb5_free_error_message(context, krb5err);
+
 			ret = KRB5KDC_ERR_TGT_REVOKED;
 			goto out;
 		}
@@ -2046,13 +2050,16 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
 
 	frame = talloc_stackframe();
 
-	nt_status = samba_kdc_get_user_info_from_db(frame,
-						    device,
-						    device->msg,
-						    &device_info_dc);
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	code = samba_kdc_get_user_info_from_db(frame,
+					       device,
+					       device->msg,
+					       &device_info_dc);
+	if (code) {
+		const char *krb5_err = krb5_get_error_message(context, code);
 		DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
-			nt_errstr(nt_status));
+			krb5_err != NULL ? krb5_err : "<unknown>");
+		krb5_free_error_message(context, krb5_err);
+
 		talloc_free(frame);
 		return KRB5KDC_ERR_TGT_REVOKED;
 	}
@@ -2127,7 +2134,6 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
 	TALLOC_CTX *tmp_ctx = NULL;
 	struct pac_blobs *pac_blobs = NULL;
 	krb5_error_code code = EINVAL;
-	NTSTATUS nt_status;
 
 	tmp_ctx = talloc_new(mem_ctx);
 	if (tmp_ctx == NULL) {
@@ -2158,13 +2164,16 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		nt_status = samba_kdc_get_user_info_from_db(tmp_ctx,
-							    client.entry,
-							    client.entry->msg,
-							    &user_info_dc);
-		if (!NT_STATUS_IS_OK(nt_status)) {
+		code = samba_kdc_get_user_info_from_db(tmp_ctx,
+						       client.entry,
+						       client.entry->msg,
+						       &user_info_dc);
+		if (code) {
+			const char *krb5_err = krb5_get_error_message(context, code);
 			DBG_ERR("Getting user info for PAC failed: %s\n",
-				nt_errstr(nt_status));
+				krb5_err != NULL ? krb5_err : "<unknown>");
+			krb5_free_error_message(context, krb5_err);
+
 			code = KRB5KDC_ERR_TGT_REVOKED;
 			goto done;
 		}
@@ -2911,15 +2920,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 			goto out;
 		}
 	} else {
-		nt_status = samba_kdc_get_user_info_from_db(frame,
-							    device.entry,
-							    device.entry->msg,
-							    &device_info);
-		if (!NT_STATUS_IS_OK(nt_status)) {
+		code = samba_kdc_get_user_info_from_db(frame,
+						       device.entry,
+						       device.entry->msg,
+						       &device_info);
+		if (code) {
+			const char *krb5err = krb5_get_error_message(context, code);
 			DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
-				nt_errstr(nt_status));
+				krb5err != NULL ? krb5err : "<unknown>");
+			krb5_free_error_message(context, krb5err);
 
-			code = KRB5KDC_ERR_TGT_REVOKED;
 			goto out;
 		}
 

source4/kdc/pac-glue.h

@@ -107,10 +107,10 @@ krb5_error_code samba_krbtgt_is_in_db(const struct samba_kdc_entry *skdc_entry,
 				      bool *is_in_db,
 				      bool *is_trusted);
 
-NTSTATUS samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
-					 struct samba_kdc_entry *entry,
-					 const struct ldb_message *msg,
-					 struct auth_user_info_dc **info_out);
+krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
+						struct samba_kdc_entry *entry,
+						const struct ldb_message *msg,
+						struct auth_user_info_dc **info_out);
 
 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status);
 

source4/kdc/wdc-samba4.c

@@ -123,13 +123,13 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 		cred_ndr_ptr = &cred_ndr;
 	}
 
-	nt_status = samba_kdc_get_user_info_from_db(mem_ctx,
-						    skdc_entry,
-						    skdc_entry->msg,
-						    &user_info_dc);
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	ret = samba_kdc_get_user_info_from_db(mem_ctx,
+					      skdc_entry,
+					      skdc_entry->msg,
+					      &user_info_dc);
+	if (ret) {
 		talloc_free(mem_ctx);
-		return map_errno_from_nt_status(nt_status);
+		return ret;
 	}
 
 	nt_status = samba_kdc_add_asserted_identity(asserted_identity,