From 115d9c3c476a79c778833690377dd6d71b973fa8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 Jan 2017 17:15:49 +0100
Subject: [PATCH 1/2] gensec:spnego: Add debug message for the failed principal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4194a67c7efcb58ef2bb7efa1d1556d5fa0ce2e0)
---
 auth/gensec/spnego.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 5 deletions(-)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 47878922f96..f063f7b358b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-					/* Pretend we never started it (lets the first run find some incompatible demand) */
+					const char *next = NULL;
+					const char *principal = NULL;
+					int dbg_level = DBGLVL_WARNING;
+
+					if (all_sec[i+1].op != NULL) {
+						next = all_sec[i+1].op->name;
+						dbg_level = DBGLVL_NOTICE;
+					}
+
+					if (gensec_security->target.principal != NULL) {
+						principal = gensec_security->target.principal;
+					} else if (gensec_security->target.service != NULL &&
+						   gensec_security->target.hostname != NULL)
+					{
+						principal = talloc_asprintf(spnego_state->sub_sec_security,
+									    "%s/%s",
+									    gensec_security->target.service,
+									    gensec_security->target.hostname);
+					} else {
+						principal = gensec_security->target.hostname;
+					}
+
+					DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+							  spnego_state->sub_sec_security->ops->name,
+							  principal,
+							  next, nt_errstr(nt_status)));
 
-					DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
-						  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+					/* Pretend we never started it (lets the first run find some incompatible demand) */
 					talloc_free(spnego_state->sub_sec_security);
 					spnego_state->sub_sec_security = NULL;
 					continue;
@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 
 			if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) 
 			    && !NT_STATUS_IS_OK(nt_status)) {
-				DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", 
-					  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+				const char *next = NULL;
+				const char *principal = NULL;
+				int dbg_level = DBGLVL_WARNING;
+
+				if (all_sec[i+1].op != NULL) {
+					next = all_sec[i+1].op->name;
+					dbg_level = DBGLVL_NOTICE;
+				}
+
+				if (gensec_security->target.principal != NULL) {
+					principal = gensec_security->target.principal;
+				} else if (gensec_security->target.service != NULL &&
+					   gensec_security->target.hostname != NULL)
+				{
+					principal = talloc_asprintf(spnego_state->sub_sec_security,
+								    "%s/%s",
+								    gensec_security->target.service,
+								    gensec_security->target.hostname);
+				} else {
+					principal = gensec_security->target.hostname;
+				}
+
+				DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+					  spnego_state->sub_sec_security->ops->name,
+					  principal,
+					  next, nt_errstr(nt_status)));
 				talloc_free(spnego_state->sub_sec_security);
 				spnego_state->sub_sec_security = NULL;
 				/* Pretend we never started it (lets the first run find some incompatible demand) */
-- 
2.12.0


From 70a00e4981d852ac9e11d4a9ab8f533428c795d2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 27 Feb 2017 17:18:15 +0100
Subject: [PATCH 2/2] s3:librpc: Handle gss_min in gse_get_client_auth_token()
 correctly

This will make sure we correctly fall back to NTLMSSP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  2 12:41:40 CET 2017 on sn-devel-144

(cherry picked from commit ed42d6e81f6c7cf4ed78b2bc9fcdf6c9d970ca55)
---
 source3/librpc/crypto/gse.c | 46 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 40 insertions(+), 6 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 99971d30881..abf20bc7dfd 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -345,14 +345,48 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
 		/* we will need a third leg */
 		status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 		break;
-	default:
-		if ((gss_maj == GSS_S_FAILURE) &&
-		    (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) {
+	case GSS_S_CONTEXT_EXPIRED:
+		/* Make SPNEGO ignore us, we can't go any further here */
+		DBG_NOTICE("Context expired\n");
+		status = NT_STATUS_INVALID_PARAMETER;
+		goto done;
+	case GSS_S_FAILURE:
+		switch (gss_min) {
+		case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+			DBG_NOTICE("Server principal not found\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
 			DBG_NOTICE("Ticket expired\n");
-		} else {
-			DBG_ERR("gss_init_sec_context failed with [%s]\n",
-				gse_errstr(talloc_tos(), gss_maj, gss_min));
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV:
+			DBG_NOTICE("Clockskew\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+			goto done;
+		case (OM_uint32)KRB5_KDC_UNREACH:
+			DBG_NOTICE("KDC unreachable\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_NO_LOGON_SERVERS;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE:
+			/* Garbage input, possibly from the auto-mech detection */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		default:
+			DBG_ERR("gss_init_sec_context failed with [%s](%u)\n",
+				gse_errstr(talloc_tos(), gss_maj, gss_min),
+				gss_min);
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
 		}
+		break;
+	default:
+		DBG_ERR("gss_init_sec_context failed with [%s]\n",
+			gse_errstr(talloc_tos(), gss_maj, gss_min));
 		status = NT_STATUS_INTERNAL_ERROR;
 		goto done;
 	}
-- 
2.12.0