Bug 13247 - gss_api error not returned to client caller via NTSTATUS
gss_api error not returned to client caller via NTSTATUS
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
4.8.0rc2
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-30 16:59 UTC by Jeremy Allison
Modified: 2018-01-31 01:36 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for master. (1021 bytes, patch)
2018-01-30 17:00 UTC, Jeremy Allison
slow: review+
Details
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next. (1.22 KB, patch)
2018-01-31 01:36 UTC, Jeremy Allison
jra: review? (asn)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2018-01-30 16:59:27 UTC
Google ChromeOS restricts the enc types allowed for the kerberos client. If the DC doesn't support these types it returns KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.

Currently Samba doesn't pass this back to the caller as NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated for this error - it gets returned as NT_STATUS_LOGON_FAILURE, which doesn't allow the caller to report the problem to the client GUI.

We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC, this just adds another one to enable users to debug problems.

Patch to follow.
Comment 1 Jeremy Allison 2018-01-30 17:00:26 UTC
Created attachment 13935 [details]
git-am fix for master.
Comment 2 Jeremy Allison 2018-01-31 01:36:45 UTC
Created attachment 13937 [details]
git-am fix for 4.8.0rcNext, 4.7.next, 4.6.next.

Cherry-pick from master, applies cleanly to 4.8.0rcX, 4.7.next, 4.6.next.