[cifs-protocol] [EXTERNAL] Kerberos e-data NTSTATUS encoding - TrackingID#2305240040010867

Mon Jun 5 18:32:50 UTC 2023

Hi Andrew:
The information in the reserved and flags field in not really interesting for anyone who does not have access to Windows source code. The reserved filed has file number and line number in it where the error is generated.
The flags field can have only two values.
0x1
0x2
0x1 is already documented. 0x2 means that the error is encoded in ASN.1

If you ever saw 0x2 on the wire, please let me know and I'll file a bug to include it in the document.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

From: Michael Bowen <Mike.Bowen at microsoft.com>
Sent: Wednesday, May 24, 2023 5:15 PM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Joseph Sutton <josephsutton at catalyst.net.nz>; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] Kerberos e-data NTSTATUS encoding - TrackingID#2305240040010867

[DocHelp to bcc]

Hi Andrew,

Thanks for your question. We've created case #2305240040010867 to track this case. One of our engineers will contact you soon.

Mike Bowen
Escalation Engineer - Microsoft Open Specifications

From: Andrew Bartlett <abartlet at samba.org<mailto:abartlet at samba.org>>
Sent: Wednesday, May 24, 2023 2:58 PM
To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>; Joseph Sutton <josephsutton at catalyst.net.nz<mailto:josephsutton at catalyst.net.nz>>
Subject: [EXTERNAL] Kerberos e-data NTSTATUS encoding

Per my call with Jeff and Obiad today:

My one question comes from Joseph who is working on Kerberos for us:

The NTSTATUS structure in the Kerberos e-data field.  Where is this packing defined, and what the second two fields are used for?

The first one that's always zero, and the second one that appears to be flags.
KERB_ERR_TYPE_EXTENDED<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a>

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a
only says the data-value field contains extended, implementation-specific error information.

https://gitlab.com/samba-team/samba/-/blob/master/source4/kdc/hdb-samba4.c#L573

Even if Microsoft clients do not use this, we have found in the real world that third party clients rely on this behaviour, so we need to know what else might be encoded here.

Thanks,

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230605/b76620c1/attachment.htm>