Bug 9048 - Samba4 ldap error codes
Samba4 ldap error codes
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.6.0rc2
All All
: P5 enhancement
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-18 08:59 UTC by miquel
Modified: 2017-01-30 23:53 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description miquel 2012-07-18 08:59:50 UTC
The error codes from samba4, not follow the same sintax that AD error codes:

for the same error:
Samba4:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
        additional info: Simple Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE

AD
Enter LDAP Password:                                                                                                                                        
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1


Some softwares like openam/opensso uses this return codes to manage password change/expiration, etc..
Comment 1 Arvid Requate 2013-06-26 17:32:48 UTC
The error code is the same: "code = 49, message = Invalid credentials", only the extendederrormessage contains the reason in the code after the "data" keyword. Samba cannot guess which kind of pattern matching different clients try to extract this information. I guess it's a bit much to ask from Samba to mimic this error message 1:1, at least at this stage of development. I guess the proper way to detect this would have to be implemented in the client by trying a netlogon to retrieve additional information on the circumstances of the problem.
Comment 2 Matthias Dieter Wallnöfer 2014-04-24 19:25:44 UTC
Yes, we do our best to match the main LDAP error code and I have not seen any tool yet which expects also the extended error message to be the same as on Windows.
The bug is valid, but I mark it as ENHANCEMENT.
Comment 3 Andrew Bartlett 2017-01-27 11:04:28 UTC
For the bind case this is easier than some of the others, because of layering.  The error strings are directly emitted by source4/ldap_server/ldap_bind.c, so they can be fixed there without a big stack above them.

For keycloak we need to output something that matches 
(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");

https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c2
2d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/map
pers/msad/MSADUserAccountControlStorageMapper.java#L56

That just needs the windows error mapping of the
NT_STATUS_PWD_MUST_CHANGE code in 'data', which isn't hard to get. 

The main trick will be lots of testing, and finding the match patterns for other tools we want to care about.
Comment 4 Andrew Bartlett 2017-01-30 23:53:21 UTC
Does anybody know the pattern openam / opensso uses on the error string?

I can't quickly find it with a github search.