Remove saved password if it fails to get tickets

Note that if preauth is turned on the password may be removed for
other reasons.  This is because preauth failing can mean several
things.  Better to always remove it than have the user sometimes
get stuck though.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20936 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kim/lib/kim_credential.c b/src/kim/lib/kim_credential.c
index c565f80ccda715fcd462d2b5d975bbb79a5c4735..7b49c42dc0662fa22321a8b038dbb77bca5cfd03 100644 (file)
--- a/src/kim/lib/kim_credential.c
+++ b/src/kim/lib/kim_credential.c
@@ -330,6 +330,7 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia
             
             /* set counter to zero so we can tell if we got prompted */
             context.prompt_count = 0;
+            context.password_to_save = NULL;
             
             err = krb5_error (credential->context,
                               krb5_get_init_creds_password (credential->context, 
@@ -406,11 +407,20 @@ kim_error kim_credential_create_new_with_password (kim_credential *out_credentia
             } else if (prompt_count) {
                 /* User was prompted and might have entered bad info 
                  * so report error and try again. */
+ 
                 err = kim_ui_handle_kim_error (&context, identity, 
                                                kim_ui_error_type_authentication,
                                                err);
             }
             
+            if (err == KRB5KRB_AP_ERR_BAD_INTEGRITY || 
+                err == KRB5KDC_ERR_PREAUTH_FAILED ||
+                err == KIM_BAD_PASSWORD_ERR || err == KIM_PREAUTH_FAILED_ERR) {
+                /* if the password could have failed, remove any saved ones
+                 * or the user will get stuck. */
+                kim_os_identity_remove_saved_password (identity);
+            }
+            
             if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
         }