Bug 15514 - Kerberos client produces confusing message when the KDC sends KERB-ERROR-DATA
Summary: Kerberos client produces confusing message when the KDC sends KERB-ERROR-DATA
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jennifer Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-09 23:37 UTC by Jennifer Sutton
Modified: 2023-11-10 01:36 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jennifer Sutton 2023-11-09 23:37:09 UTC
In certain circumstances, such as when an authentication policy restricts getting a ticket, the KDC will send KERB-ERROR-DATA instead of METHOD-DATA. Windows clients can decode KERB-ERROR-DATA and get an NTSTATUS code, but we fail to do so.

The error messages produced by the Heimdal client look like:
“Miscellaneous failure (see text): Failed to decode METHOD-DATA (host/client@ADDOM.SAMBA.EXAMPLE.COM)”.
Comment 1 Jennifer Sutton 2023-11-09 23:38:08 UTC
The Heimdal PR is here: https://github.com/heimdal/heimdal/pull/1096.
Comment 2 Jennifer Sutton 2023-11-10 00:32:04 UTC
On the MIT side, krb5int_fast_process_error() looks like it can handle the e-data field not being valid METHOD-DATA.
Comment 3 Samba QA Contact 2023-11-10 01:36:04 UTC
This bug was referenced in samba master:

b8ffb24596452edb647d8df8b2ec608a607ebac4