[cifs-protocol] [EXTERNAL] Kerberos e-data NTSTATUS encoding - TrackingID#2305240040010867
Joseph Sutton
jsutton at samba.org
Tue Jun 20 01:52:07 UTC 2023
[Resending with correct addresses CC’ed.]
Hi,
We indeed see the 0x2 flag in Kerberos error responses generated by
Windows. Specifically, the flag is present if the reply is a TGS-REQ,
and absent if it is an AS-REQ.
Regards,
Joseph
On 6/06/23 6:32 am, Obaid Farooqi via cifs-protocol wrote:
>
> Hi Andrew:
>
> The information in the reserved and flags field in not really
> interesting for anyone who does not have access to Windows source
> code. The reserved filed has file number and line number in it where
> the error is generated.
>
> The flags field can have only two values.
>
> 0x1
>
> 0x2
>
> 0x1 is already documented. 0x2 means that the error is encoded in ASN.1
>
> If you ever saw 0x2 on the wire, please let me know and I’ll file a
> bug to include it in the document.
>
> Regards,
>
> Obaid Farooqi
>
> Escalation Engineer | Microsoft
>
> *From:* Michael Bowen <Mike.Bowen at microsoft.com>
> *Sent:* Wednesday, May 24, 2023 5:15 PM
> *To:* Andrew Bartlett <abartlet at samba.org>
> *Cc:* cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Joseph Sutton <josephsutton at catalyst.net.nz>; Microsoft Support
> <supportmail at microsoft.com>
> *Subject:* RE: [EXTERNAL] Kerberos e-data NTSTATUS encoding -
> TrackingID#2305240040010867
>
> [DocHelp to bcc]
>
> Hi Andrew,
>
> Thanks for your question. We’ve created case #2305240040010867 to
> track this case. One of our engineers will contact you soon.
>
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
>
> *From:* Andrew Bartlett <abartlet at samba.org>
> *Sent:* Wednesday, May 24, 2023 2:58 PM
> *To:* Interoperability Documentation Help <dochelp at microsoft.com>
> *Cc:* cifs-protocol mailing list <cifs-protocol at lists.samba.org>;
> Joseph Sutton <josephsutton at catalyst.net.nz>
> *Subject:* [EXTERNAL] Kerberos e-data NTSTATUS encoding
>
> Per my call with Jeff and Obiad today:
>
> My one question comes from Joseph who is working on Kerberos for us:
>
> The NTSTATUS structure in the Kerberos e-data field. Where is this
> packing defined, and what the second two fields are used for?
>
> The first one that’s always zero, and the second one that appears to
> be flags.
>
> KERB_ERR_TYPE_EXTENDED
> <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a>
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a
>
> only says the *data-value* field contains extended,
> implementation-specific error information.
>
> https://gitlab.com/samba-team/samba/-/blob/master/source4/kdc/hdb-samba4.c#L573
>
> Even if Microsoft clients do not use this, we have found in the real
> world that third party clients rely on this behaviour, so we need to
> know what else might be encoded here.
>
> Thanks,
>
> Andrew Bartlett
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
>
> Samba Team Member (since 2001) https://samba.org
>
> Samba Team Lead https://catalyst.net.nz/services/samba
>
> Catalyst.Net Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230620/2d5c597a/attachment.htm>
More information about the cifs-protocol
mailing list