15514 – Kerberos client produces confusing message when the KDC sends KERB-ERROR-DATA

Bug 15514 - Kerberos client produces confusing message when the KDC sends KERB-ERROR-DATA

Summary: Kerberos client produces confusing message when the KDC sends KERB-ERROR-DATA

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.19.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jo Sutton
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-11-09 23:37 UTC by Jo Sutton
Modified:	2023-11-10 01:36 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jo Sutton 2023-11-09 23:37:09 UTC

In certain circumstances, such as when an authentication policy restricts getting a ticket, the KDC will send KERB-ERROR-DATA instead of METHOD-DATA. Windows clients can decode KERB-ERROR-DATA and get an NTSTATUS code, but we fail to do so.

The error messages produced by the Heimdal client look like:
“Miscellaneous failure (see text): Failed to decode METHOD-DATA (host/client@ADDOM.SAMBA.EXAMPLE.COM)”.

Comment 1 Jo Sutton 2023-11-09 23:38:08 UTC

The Heimdal PR is here: https://github.com/heimdal/heimdal/pull/1096.

Comment 2 Jo Sutton 2023-11-10 00:32:04 UTC

On the MIT side, krb5int_fast_process_error() looks like it can handle the e-data field not being valid METHOD-DATA.

Comment 3 Samba QA Contact 2023-11-10 01:36:04 UTC

This bug was referenced in samba master:

b8ffb24596452edb647d8df8b2ec608a607ebac4