13247 – gss_api error not returned to client caller via NTSTATUS

Bug 13247 - gss_api error not returned to client caller via NTSTATUS

Summary: gss_api error not returned to client caller via NTSTATUS

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	4.8.0rc2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-30 16:59 UTC by Jeremy Allison
Modified:	2021-02-11 21:52 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
git-am fix for master. (1021 bytes, patch) 2018-01-30 17:00 UTC, Jeremy Allison	slow: review+	Details
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next. (1.22 KB, patch) 2018-01-31 01:36 UTC, Jeremy Allison	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2018-01-30 16:59:27 UTC

Google ChromeOS restricts the enc types allowed for the kerberos client. If the DC doesn't support these types it returns KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.

Currently Samba doesn't pass this back to the caller as NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated for this error - it gets returned as NT_STATUS_LOGON_FAILURE, which doesn't allow the caller to report the problem to the client GUI.

We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC, this just adds another one to enable users to debug problems.

Patch to follow.

Comment 1 Jeremy Allison 2018-01-30 17:00:26 UTC

Created attachment 13935 [details]
git-am fix for master.

Comment 2 Jeremy Allison 2018-01-31 01:36:45 UTC

Created attachment 13937 [details]
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next.

Cherry-pick from master, applies cleanly to 4.8.0rcX, 4.7.next, 4.6.next.