Bug 13247 - gss_api error not returned to client caller via NTSTATUS
Summary: gss_api error not returned to client caller via NTSTATUS
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.8.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-01-30 16:59 UTC by Jeremy Allison
Modified: 2021-02-11 21:52 UTC (History)
2 users (show)

See Also:

git-am fix for master. (1021 bytes, patch)
2018-01-30 17:00 UTC, Jeremy Allison
slow: review+
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next. (1.22 KB, patch)
2018-01-31 01:36 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2018-01-30 16:59:27 UTC
Google ChromeOS restricts the enc types allowed for the kerberos client. If the DC doesn't support these types it returns KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.

Currently Samba doesn't pass this back to the caller as NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated for this error - it gets returned as NT_STATUS_LOGON_FAILURE, which doesn't allow the caller to report the problem to the client GUI.

We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC, this just adds another one to enable users to debug problems.

Patch to follow.
Comment 1 Jeremy Allison 2018-01-30 17:00:26 UTC
Created attachment 13935 [details]
git-am fix for master.
Comment 2 Jeremy Allison 2018-01-31 01:36:45 UTC
Created attachment 13937 [details]
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next.

Cherry-pick from master, applies cleanly to 4.8.0rcX, 4.7.next, 4.6.next.