gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.

When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit de6021127d2d666280d11ebcf41dd2a64f6591f3)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 32337c07517c70d87e8da96babb0e1865172161f..053bd91b40f4f6b3edcbc84f07d873214abf4cae 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -305,6 +305,7 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
                return NT_STATUS_INVALID_PARAMETER;
        case KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+       case KRB5KRB_AP_ERR_BAD_INTEGRITY:
                DEBUG(1, ("Wrong username or password: %s\n", error_string));
                return NT_STATUS_LOGON_FAILURE;
        case KRB5KDC_ERR_CLIENT_REVOKED: