Hello, attached is a patch that adds two new krb5_* calls: krb5_get_init_creds_opt_get_error() and krb5_copy_error(). These two calls already exist in Heimdal Kerberos (since version 0.8). The reason for adding these calls is to enable the caller to retrieve the full krb5_error packet after a failed AS-REQ from a Windows KDC. Windows KDCs add extended 32bit NTSTATUS codes into the krb5_error edata as a KRB5_PADATA_PW_SALT. (see here: http://marc.info/?l=samba-technical&m=114263219025559&w=2) to transport more fine-grained error conditions (e.g. based on Windows account restrictions). Having access to these NTSTATUS codes is extremely valuable for Samba as a krb5 client, notably for the error handling in the kerberized pam_winbind module where it used currently when the system krb5 library (currently only Heimdal > 0.8) offers it. Can these calls be added to MIT kerberos? The patch is against MIT kerberos 1.6.1 and has been valgrinded and tested on fedora core 6 x86_64. Thanks, Guenther -- Günther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org