From 28d9493d232020a65b1b4634408c9341ef1dc39c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 19 Nov 2019 12:10:11 +0100
Subject: gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and
 NO_SUCH_DOMAIN

I think it's better to handle them in spnego.c, instead of squashing
them already in the gssapi/gse modules. This is related to
KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 auth/gensec/spnego.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'auth')

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index db8a91b6f34..87545d860e8 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -569,6 +569,9 @@ static NTSTATUS gensec_spnego_client_negTokenInit_step(
 		 * of this mech
 		 */
 		if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) ||
 		    NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
 		    NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 		    NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
-- 
cgit v1.2.1