krb5_child: use ERR_CHECK_NEXT_AUTH_TYPE instead of EAGAIN

[sumit-bose]

This patch used the new error code ERR_CHECK_NEXT_AUTH_TYPE while
processing different authentication types instead of EAGAIN because
EAGAIN might have side effects when returned to the callers.

Resolves: #8108

[gemini-code-assist]

Code Review

This pull request refactors the Kerberos authentication child process to use a new, specific error code ERR_CHECK_NEXT_AUTH_TYPE instead of the generic EAGAIN when an authentication method is not applicable. This is a good improvement as it avoids ambiguity and potential side effects from misinterpreting EAGAIN. The changes are implemented consistently across the affected functions, and the new error code is correctly defined and handled. The logic for trying subsequent authentication methods is preserved and now clearer. I have reviewed the changes and found no issues.

[thalman]

Looks goos, thanks @sumit-bose

[alexey-tikhonov]

@sumit-bose, should this go to sssd-2-9 as well?

[sumit-bose]

@sumit-bose, should this go to sssd-2-9 as well?

Hi,

the issue was cause by the EAGAIN check from #7995 which was backported to sssd-2-9 and sssd-2-11, so yes.

bye,
Sumit

[alexey-tikhonov]

@shridhargadekar, @sumit-bose, is this something to account for in #8032?

[sumit-bose]

@shridhargadekar, @sumit-bose, is this something to account for in #8032?

Hi,

I think not because it si not related to SSS_AUTHTOK_TYPE_PAM_STACKED tested in #8032. As you can see in the issue you need enforced 2FA and krb5_store_password_if_offline = True to trigger the issue. Not sure if we can currently handle 2FA in tests?

bye,
Sumit

[alexey-tikhonov]

Not sure if we can currently handle 2FA in tests?

I think @spoore1 or maybe @krishnavema or @ikerexxe should know.

[ikerexxe]

LGTM

[ikerexxe]

I think @spoore1 or maybe @krishnavema or @ikerexxe should know.

No idea, I never played with 2FA

[sssd-bot]

The pull request was accepted by @ikerexxe with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
NEUTRAL osh-diff-scan:fedora-rawhide-x86_64:upstream (neutral)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-41) (success)
🟢 ci / intgcheck (fedora-42) (success)
🔴 ci / intgcheck (fedora-43) (failure)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🔴 ci / system (centos-10) (failure)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🔴 ci / system (fedora-43) (failure)
🔴 ci / system (fedora-44) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

[alexey-tikhonov]

Note: Covscan was green.