11592 – samba member server returns incorrect error code when gss_accept_sec_context returns a token with an error (was with some versions of krb5)

Bug 11592 - samba member server returns incorrect error code when gss_accept_sec_context returns a token with an error (was with some versions of krb5)

Summary: samba member server returns incorrect error code when gss_accept_sec_context ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.3.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-08 23:50 UTC by Richard Sharpe
Modified:	2022-08-25 08:43 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
What Windows returns ... (13.44 KB, application/octet-stream) 2015-11-08 23:51 UTC, Richard Sharpe	no flags	Details
What Samba returns with the faulty version of krb5 (25.60 KB, application/octet-stream) 2015-11-08 23:52 UTC, Richard Sharpe	no flags	Details
git-am fix for 4.3.next, 4.2.next. (1.59 KB, patch) 2015-11-13 00:34 UTC, Jeremy Allison	jra: review? (rsharpe)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Sharpe 2015-11-08 23:50:24 UTC

With krb5-1.10.x and if there is a large clock skew between a member server and a Windows client (greater than 10 hours after the valid start time of tickets or well before the start time of a ticket) Samba will return STATUS_LOGON_FAILURE to a SESSION SETUP request when it should return STATUS_MORE_PROCESSING_REQUIRED and a Krb_error token.

The problem is that gss_accept_sec_context in krb5-1.10.x behaves incorrectly, although it might look like gse_get_server_auth_token in source3/librpc/crypto/gse.c is at fault.

This was seen on CentOS 6.6/7.

This actually a problem with krb5-1.10.x and is fixed in at least kb5-1.13.2.

There is a bug logged against RedHat here:

https://bugzilla.redhat.com/show_bug.cgi?id=1279249

This bug has been opened so that people searching might quickly realize what the real problem is.

Comment 1 Richard Sharpe 2015-11-08 23:51:29 UTC

Created attachment 11586 [details]
What Windows returns ...

Windows returns MORE_PROCESSING_REQUIRED with either Ticket Not Yet Valid or Ticket Expired depending on the direction of the clock skew.

Comment 2 Richard Sharpe 2015-11-08 23:52:31 UTC

Created attachment 11587 [details]
What Samba returns with the faulty version of krb5

Samba simply returns LOGON_FAILURE which causes Windows to prompt for creds again.

Comment 3 Richard Sharpe 2015-11-10 21:12:18 UTC

The problem is more complex than I thought.

While later versions of krb5, like 1.10.3, do return a token, they do not return a status of GSS_C_CONTINUE_NEEDED. I was transforming GSS_C_FAILURE to GSS_C_CONTINUE_NEEDED in Samba in the case of the two minor codes I was interested in.

More investigation needed.

Working with Simo on this.

Comment 4 Richard Sharpe 2015-11-11 04:58:19 UTC

As pointed out in the linked RedHat bug, if gss_accept_sec_context returns a token, even when it also returned an error status, we must return that token to the client.

Comment 5 Richard Sharpe 2015-11-12 03:49:20 UTC

Change #8936281bcc9bef19ede99146475dd867ed5d3873 was committed that fixes the Samba side of this problem.

However, you need a recent version of krb5-libs on your Linux or other system as well.

Comment 6 Richard Sharpe 2015-11-12 03:50:20 UTC

Do we need to cherry pick this to 4.3.X or 4.2.X?

Comment 7 Jeremy Allison 2015-11-13 00:34:48 UTC

Created attachment 11594 [details]
git-am fix for 4.3.next, 4.2.next.

Cherry-pick from master for 4.3.next and 4.2.next.

Comment 8 Jo Sutton 2022-08-25 08:43:11 UTC

Samba versions below 4.4 are unsupported, so we can close this now.