3 files changed, 24 insertions, 12 deletions

diff --git a/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h b/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
index 7cde269335..5ccd894b6f 100644
--- a/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
+++ b/usr/src/lib/smbsrv/libsmbns/common/libsmbns.h
@@ -64,7 +64,9 @@ typedef enum smb_ads_status {
 	SMB_ADS_KRB5_INIT_CTX,
 	SMB_ADS_KRB5_CC_DEFAULT,
 	SMB_ADS_KRB5_PARSE_PRINCIPAL,
+	SMB_ADS_KRB5_GET_INIT_CREDS_OTHER,
 	SMB_ADS_KRB5_GET_INIT_CREDS_PW,
+	SMB_ADS_KRB5_GET_INIT_CREDS_SKEW,
 	SMB_ADS_KRB5_CC_INITIALIZE,
 	SMB_ADS_KRB5_CC_STORE_CRED,
 	SMB_ADS_CANT_LOCATE_DC,
diff --git a/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c b/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
index 8bbe0e8afb..0a07771985 100644
--- a/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
+++ b/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c
@@ -1599,7 +1599,8 @@ smb_ads_lookup_computer_n_attr(smb_ads_handle_t *ah, smb_ads_avpair_t *avpair,
 {
 	char *attrs[3], filter[SMB_ADS_MAXBUFLEN];
 	LDAPMessage *res;
-	char sam_acct[SMB_SAMACCT_MAXLEN], sam_acct2[SMB_SAMACCT_MAXLEN];
+	char sam_acct[SMB_SAMACCT_MAXLEN];
+	char tmpbuf[SMB_ADS_MAXBUFLEN];
 	smb_ads_qstat_t rc;
 	int err;
 
@@ -1618,12 +1619,12 @@ smb_ads_lookup_computer_n_attr(smb_ads_handle_t *ah, smb_ads_avpair_t *avpair,
 		attrs[1] = avpair->avp_attr;
 	}
 
-	if (smb_ads_escape_search_filter_chars(sam_acct, sam_acct2) != 0)
+	if (smb_ads_escape_search_filter_chars(sam_acct, tmpbuf) != 0)
 		return (SMB_ADS_STAT_ERR);
 
 	(void) snprintf(filter, sizeof (filter),
-	    "(&(objectClass=computer)(%s=%s))", SMB_ADS_ATTR_SAMACCT,
-	    sam_acct2);
+	    "(&(objectClass=computer)(%s=%s))",
+	    SMB_ADS_ATTR_SAMACCT, tmpbuf);
 
 	syslog(LOG_DEBUG, "smbns: lookup_computer, "
 	    "dn=%s, scope=%d", dn, scope);
@@ -1947,8 +1948,12 @@ adjoin_table[] = {
 	    "Failed to resolve default credential cache." },
 	{ SMB_ADS_KRB5_PARSE_PRINCIPAL,
 	    "Failed parsing the user principal name." },
+	{ SMB_ADS_KRB5_GET_INIT_CREDS_OTHER,
+	    "Failed getting initial credentials.  (See svc. log)" },
 	{ SMB_ADS_KRB5_GET_INIT_CREDS_PW,
 	    "Failed getting initial credentials.  (Wrong password?)" },
+	{ SMB_ADS_KRB5_GET_INIT_CREDS_SKEW,
+	    "Failed getting initial credentials.  (Clock skew too great)" },
 	{ SMB_ADS_KRB5_CC_INITIALIZE,
 	    "Failed initializing the credential cache." },
 	{ SMB_ADS_KRB5_CC_STORE_CRED,
diff --git a/usr/src/lib/smbsrv/libsmbns/common/smbns_krb.c b/usr/src/lib/smbsrv/libsmbns/common/smbns_krb.c
index aebc6f8c06..b29963f0e9 100644
--- a/usr/src/lib/smbsrv/libsmbns/common/smbns_krb.c
+++ b/usr/src/lib/smbsrv/libsmbns/common/smbns_krb.c
@@ -68,7 +68,6 @@ smb_kinit(char *domain_name, char *principal_name, char *principal_passwd)
 	krb5_principal me = NULL;
 	krb5_creds my_creds;
 	krb5_error_code code;
-	const char *errmsg = NULL;
 	const char *doing = NULL;
 	smb_ads_status_t err;
 
@@ -115,11 +114,20 @@ smb_kinit(char *domain_name, char *principal_name, char *principal_passwd)
 	    principal_passwd, NULL, 0, (krb5_deltat)0,
 	    NULL, NULL);
 	if (code != 0) {
-		err = SMB_ADS_KRB5_GET_INIT_CREDS_PW;
 		doing = "smbns_krb: getting initial credentials";
+		switch (code) {
 
-		if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
-			errmsg = "smbns_krb: Password incorrect";
+		case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+			err = SMB_ADS_KRB5_GET_INIT_CREDS_PW;
+			break;
+
+		case KRB5KRB_AP_ERR_SKEW:
+			err = SMB_ADS_KRB5_GET_INIT_CREDS_SKEW;
+			break;
+
+		default:
+			err = SMB_ADS_KRB5_GET_INIT_CREDS_OTHER;
+			break;
 		}
 
 		goto cleanup;
@@ -144,10 +152,7 @@ smb_kinit(char *domain_name, char *principal_name, char *principal_passwd)
 
 cleanup:
 	if (code != 0) {
-		if (errmsg == NULL)
-			smb_krb5_log_errmsg(ctx, doing, code);
-		else
-			syslog(LOG_ERR, "%s (%s)", doing, errmsg);
+		smb_krb5_log_errmsg(ctx, doing, code);
 	}
 
 	if (my_creds.client == me) {