From fde95037a8558aeaf47797f39fc9a1645819a040 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 25 May 2020 17:22:24 -0400
Subject: [PATCH] lib/krb5: not_found() do not substitute the error text

not_found() is called internally with error code KRB5_CC_NOTFOUND
from find_cred() and get_cred_kdc_capath_worker() where a hard
coded error string "Matching credential not found" makes sense.
However, it is also called from krb5_get_creds() and
krb5_get_credentials_with_flags() with error codes that are
returned from the KDC where hiding the true error string
confuses the end user and hampers debugging.

This change replaces the hard coded string with the result
of krb5_get_error_message() and appends the service ticket
name.

Change-Id: I275c66c7b5783ae25029dce5b851cb389b118bcc
---
 lib/krb5/get_cred.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 87add0527..e908e7253 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -684,15 +684,15 @@ static int
 not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
 {
     krb5_error_code ret;
-    char *str;
+    char *str, *err;
 
+    err = krb5_get_error_message(context, code);
     ret = krb5_unparse_name(context, p, &str);
     if(ret) {
 	krb5_clear_error_message(context);
 	return code;
     }
-    krb5_set_error_message(context, code,
-			   N_("Matching credential (%s) not found", ""), str);
+    krb5_set_error_message(context, code, N_("%s (%s)", ""), err, str);
     free(str);
     return code;
 }