Bug 11592 - samba member server returns incorrect error code when gss_accept_sec_context returns a token with an error (was with some versions of krb5)
samba member server returns incorrect error code when gss_accept_sec_context ...
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-11-08 23:50 UTC by Richard Sharpe
Modified: 2015-11-13 00:35 UTC (History)
4 users (show)

See Also:

What Windows returns ... (13.44 KB, application/octet-stream)
2015-11-08 23:51 UTC, Richard Sharpe
no flags Details
What Samba returns with the faulty version of krb5 (25.60 KB, application/octet-stream)
2015-11-08 23:52 UTC, Richard Sharpe
no flags Details
git-am fix for 4.3.next, 4.2.next. (1.59 KB, patch)
2015-11-13 00:34 UTC, Jeremy Allison
jra: review? (rsharpe)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Sharpe 2015-11-08 23:50:24 UTC
With krb5-1.10.x and if there is a large clock skew between a member server and a Windows client (greater than 10 hours after the valid start time of tickets or well before the start time of a ticket) Samba will return STATUS_LOGON_FAILURE to a SESSION SETUP request when it should return STATUS_MORE_PROCESSING_REQUIRED and a Krb_error token.

The problem is that gss_accept_sec_context in krb5-1.10.x behaves incorrectly, although it might look like gse_get_server_auth_token in source3/librpc/crypto/gse.c is at fault.

This was seen on CentOS 6.6/7.

This actually a problem with krb5-1.10.x and is fixed in at least kb5-1.13.2.

There is a bug logged against RedHat here:


This bug has been opened so that people searching might quickly realize what the real problem is.
Comment 1 Richard Sharpe 2015-11-08 23:51:29 UTC
Created attachment 11586 [details]
What Windows returns ...

Windows returns MORE_PROCESSING_REQUIRED with either Ticket Not Yet Valid or Ticket Expired depending on the direction of the clock skew.
Comment 2 Richard Sharpe 2015-11-08 23:52:31 UTC
Created attachment 11587 [details]
What Samba returns with the faulty version of krb5

Samba simply returns LOGON_FAILURE which causes Windows to prompt for creds again.
Comment 3 Richard Sharpe 2015-11-10 21:12:18 UTC
The problem is more complex than I thought.

While later versions of krb5, like 1.10.3, do return a token, they do not return a status of GSS_C_CONTINUE_NEEDED. I was transforming GSS_C_FAILURE to GSS_C_CONTINUE_NEEDED in Samba in the case of the two minor codes I was interested in.

More investigation needed.

Working with Simo on this.
Comment 4 Richard Sharpe 2015-11-11 04:58:19 UTC
As pointed out in the linked RedHat bug, if gss_accept_sec_context returns a token, even when it also returned an error status, we must return that token to the client.
Comment 5 Richard Sharpe 2015-11-12 03:49:20 UTC
Change #8936281bcc9bef19ede99146475dd867ed5d3873 was committed that fixes the Samba side of this problem.

However, you need a recent version of krb5-libs on your Linux or other system as well.
Comment 6 Richard Sharpe 2015-11-12 03:50:20 UTC
Do we need to cherry pick this to 4.3.X or 4.2.X?
Comment 7 Jeremy Allison 2015-11-13 00:34:48 UTC
Created attachment 11594 [details]
git-am fix for 4.3.next, 4.2.next.

Cherry-pick from master for 4.3.next and 4.2.next.