krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

3 files changed, 131 insertions, 2 deletions

diff --git a/lib/krb5_wrap/krb5_errs.c b/lib/krb5_wrap/krb5_errs.c
new file mode 100644
index 00000000000..37428defe1e
--- /dev/null
+++ b/lib/krb5_wrap/krb5_errs.c
@@ -0,0 +1,114 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Kerberos error mapping functions
+ *  Copyright (C) Guenther Deschner 2005
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "krb5_samba.h"
+
+#ifdef HAVE_KRB5
+
+static const struct {
+	krb5_error_code krb5_code;
+	NTSTATUS ntstatus;
+} krb5_to_nt_status_map[] = {
+	{KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR},
+	{KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER},
+	{KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCOUNT_LOCKED_OUT},
+	{KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
+	{KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
+#if defined(KRB5KDC_ERR_KEY_EXP) /* MIT */
+	{KRB5KDC_ERR_KEY_EXP, NT_STATUS_PASSWORD_EXPIRED},
+#else /* old Heimdal releases have it with different name only in an enum: */
+	{KRB5KDC_ERR_KEY_EXPIRED, NT_STATUS_PASSWORD_EXPIRED},
+#endif
+	{25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */
+	{KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_POLICY, NT_STATUS_INVALID_WORKSTATION},
+	{KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
+	{KRB5KDC_ERR_SUMTYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_TGT_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5_KDC_UNREACH, NT_STATUS_NO_LOGON_SERVERS},
+	{KRB5KRB_AP_ERR_BAD_INTEGRITY, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_AP_ERR_MODIFIED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC},
+	{KRB5_KDCREP_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC},
+	{KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL},
+#if defined(KRB5KRB_ERR_RESPONSE_TOO_BIG)
+	{KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE},
+#endif
+	{KRB5_CC_NOTFOUND, NT_STATUS_NO_SUCH_FILE},
+	{KRB5_FCC_NOFILE, NT_STATUS_NO_SUCH_FILE},
+	{KRB5_RC_MALLOC, NT_STATUS_NO_MEMORY},
+	{ENOMEM, NT_STATUS_NO_MEMORY},
+	{KRB5_REALM_CANT_RESOLVE, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND},
+
+	/* Must be last entry */
+	{KRB5KDC_ERR_NONE, NT_STATUS_OK}
+};
+
+static const struct {
+	NTSTATUS ntstatus;
+	krb5_error_code krb5_code;
+} nt_status_to_krb5_map[] = {
+	{NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED},
+	{NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH},
+	{NT_STATUS_OK, 0}
+};
+
+/*****************************************************************************
+convert a KRB5 error to a NT status32 code
+ *****************************************************************************/
+ NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error)
+{
+	int i;
+
+	if (kerberos_error == 0) {
+		return NT_STATUS_OK;
+	}
+
+	for (i=0; NT_STATUS_V(krb5_to_nt_status_map[i].ntstatus); i++) {
+		if (kerberos_error == krb5_to_nt_status_map[i].krb5_code)
+			return krb5_to_nt_status_map[i].ntstatus;
+	}
+
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*****************************************************************************
+convert an NT status32 code to a KRB5 error
+ *****************************************************************************/
+ krb5_error_code nt_status_to_krb5(NTSTATUS nt_status)
+{
+	int i;
+
+	if NT_STATUS_IS_OK(nt_status) {
+		return 0;
+	}
+
+	for (i=0; NT_STATUS_V(nt_status_to_krb5_map[i].ntstatus); i++) {
+		if (NT_STATUS_EQUAL(nt_status,nt_status_to_krb5_map[i].ntstatus))
+			return nt_status_to_krb5_map[i].krb5_code;
+	}
+
+	return KRB5KRB_ERR_GENERIC;
+}
+
+#endif
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 64ae0275dbd..ca9a893e4f7 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -406,4 +406,7 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
 			    time_t *tgs_expire,
 			    const char *impersonate_princ_s);
 
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+
 #endif /* _KRB5_SAMBA_H */
diff --git a/lib/krb5_wrap/wscript_build b/lib/krb5_wrap/wscript_build
index 624964452af..dd9fc08fff7 100644
--- a/lib/krb5_wrap/wscript_build
+++ b/lib/krb5_wrap/wscript_build
@@ -5,7 +5,19 @@ if bld.CONFIG_SET('SAMBA4_USES_HEIMDAL'):
     add_deps = ' asn1'
 
 bld.SAMBA_LIBRARY('krb5samba',
-                  source='krb5_samba.c gss_samba.c keytab_util.c enctype_convert.c',
-                  deps='samba-util talloc krb5 com_err gssapi' + add_deps,
+                  source='''
+                      krb5_samba.c
+                      gss_samba.c
+                      keytab_util.c
+                      enctype_convert.c
+                      krb5_errs.c
+                  ''',
+                  deps='''
+                      samba-util
+                      talloc
+                      krb5
+                      com_err
+                      gssapi
+                  ''' + add_deps,
                   private_library=True
                  )