From 95256a612961939f09ab2cfd72cd93c411a9673f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 18 Dec 2014 16:15:17 +1300
Subject: [PATCH] kdc: Preserve error code from Pre Authentication .validate
 hook

This is required to ensure the client still gets errors like KRB5KDC_ERR_PREAUTH_FAILED, rather than
KRB5KDC_ERR_PREAUTH_REQUIRED, which become a confusing KRB5_GET_IN_TKT_LOOP.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
---
 kdc/kerberos5.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 4c1964c24..2c408b3fe 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1782,13 +1782,14 @@ _kdc_as_rep(kdc_request_t r,
 	    pa = _kdc_find_padata(req, &i, pat[n].type);
 	    if (pa) {
 		ret = pat[n].validate(r, pa);
-		if (ret == 0) {
-		    kdc_log(context, config, 0,
-			    "%s pre-authentication succeeded -- %s",
-			    pat[n].name, r->client_name);
-		    found_pa = 1;
-		    r->et.flags.pre_authent = 1;
+		if (ret != 0) {
+		    goto out;
 		}
+		kdc_log(context, config, 0,
+			"%s pre-authentication succeeded -- %s",
+			pat[n].name, r->client_name);
+		found_pa = 1;
+		r->et.flags.pre_authent = 1;
 	    }
 	}
     }