Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: krb5_init_creds_get_error() cannot retrieve most intermediate errors X-RT-Original-Encoding: iso-8859-1 Content-Length: 1068 krb5_init_creds_get_error() is patterned after a similar Heimdal interface (although Heimdal uses a different type to represent KRB- ERROR messages) and is documented to "get the last error from KDC from an initial credentials context." Although the precise semantics are not clear, the implication (as well as the Heimdal behavior) is that it should work to retrieve intermediate errors during a krb5_init_creds_step() sequence, as well as to retrieve the final error after the exchange is complete. The current implementation does not allow most intermediate errors to be retrieved. This is because ctx->err_reply has two purposes: it is used by krb5_init_creds_get_error(), and is also used by init_creds_step_request() to decide whether to try regular pre- authentication or "try again with an error" pre-authentication. Because of that, ctx->err_reply is discarded whenever an error should result in regular pre-authentication; this includes PREAUTH_REQUIRED and MORE_PREAUTH_DATA_ERROR_REQUIERD errors, realm referrals, and negotiation restarts.