<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>[Resending with correct addresses CC’ed.]<br>
</p>
<p>Hi,</p>
<p>We indeed see the 0x2 flag in Kerberos error responses generated
by Windows. Specifically, the flag is present if the reply is a
TGS-REQ, and absent if it is an AS-REQ.<br>
</p>
<p>Regards,<br>
Joseph<br>
</p>
<div class="moz-cite-prefix">On 6/06/23 6:32 am, Obaid Farooqi via
cifs-protocol wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR21MB13903B6F1E4E7A2FFE3FDC8FC64DA@MN2PR21MB1390.namprd21.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Andrew:<o:p></o:p></p>
<p class="MsoNormal">The information in the reserved and flags
field in not really interesting for anyone who does not have
access to Windows source code. The reserved filed has file
number and line number in it where the error is generated.<o:p></o:p></p>
<p class="MsoNormal">The flags field can have only two values. <o:p></o:p></p>
<p class="MsoNormal">0x1<o:p></o:p></p>
<p class="MsoNormal">0x2<o:p></o:p></p>
<p class="MsoNormal">0x1 is already documented. 0x2 means that
the error is encoded in ASN.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If you ever saw 0x2 on the wire, please let
me know and I’ll file a bug to include it in the document.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Obaid Farooqi<o:p></o:p></p>
<p class="MsoNormal">Escalation Engineer | Microsoft<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Michael Bowen <a
class="moz-txt-link-rfc2396E"
href="mailto:Mike.Bowen@microsoft.com"
moz-do-not-send="true"><Mike.Bowen@microsoft.com></a>
<br>
<b>Sent:</b> Wednesday, May 24, 2023 5:15 PM<br>
<b>To:</b> Andrew Bartlett <a
class="moz-txt-link-rfc2396E"
href="mailto:abartlet@samba.org" moz-do-not-send="true"><abartlet@samba.org></a><br>
<b>Cc:</b> cifs-protocol mailing list <a
class="moz-txt-link-rfc2396E"
href="mailto:cifs-protocol@lists.samba.org"
moz-do-not-send="true"><cifs-protocol@lists.samba.org></a>;
Joseph Sutton <a class="moz-txt-link-rfc2396E"
href="mailto:josephsutton@catalyst.net.nz"
moz-do-not-send="true"><josephsutton@catalyst.net.nz></a>;
Microsoft Support <a class="moz-txt-link-rfc2396E"
href="mailto:supportmail@microsoft.com"
moz-do-not-send="true"><supportmail@microsoft.com></a><br>
<b>Subject:</b> RE: [EXTERNAL] Kerberos e-data NTSTATUS
encoding - TrackingID#2305240040010867<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[DocHelp to bcc]<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Andrew,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for your question. We’ve created
case #2305240040010867 to track this case. One of our
engineers will contact you soon.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span
style="color:#333333;background:white">Mike Bowen</span><span
style="color:#333333"><br>
<span style="background:white">Escalation Engineer -
Microsoft Open Specifications</span></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a
href="mailto:abartlet@samba.org" moz-do-not-send="true"
class="moz-txt-link-freetext">abartlet@samba.org</a>>
<br>
<b>Sent:</b> Wednesday, May 24, 2023 2:58 PM<br>
<b>To:</b> Interoperability Documentation Help <<a
href="mailto:dochelp@microsoft.com"
moz-do-not-send="true" class="moz-txt-link-freetext">dochelp@microsoft.com</a>><br>
<b>Cc:</b> cifs-protocol mailing list <<a
href="mailto:cifs-protocol@lists.samba.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cifs-protocol@lists.samba.org</a>>;
Joseph Sutton <<a
href="mailto:josephsutton@catalyst.net.nz"
moz-do-not-send="true" class="moz-txt-link-freetext">josephsutton@catalyst.net.nz</a>><br>
<b>Subject:</b> [EXTERNAL] Kerberos e-data NTSTATUS
encoding<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Per my call with Jeff and Obiad today:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My one question comes from Joseph who is
working on Kerberos for us:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The NTSTATUS structure in the Kerberos
e-data field. Where is this packing defined, and what the
second two fields are used for?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The first one that’s always zero, and the
second one that appears to be flags.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a"
moz-do-not-send="true">KERB_ERR_TYPE_EXTENDED</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a"
moz-do-not-send="true" class="moz-txt-link-freetext">https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">only says the <b>data-value</b> field
contains extended, implementation-specific error
information.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="https://gitlab.com/samba-team/samba/-/blob/master/source4/kdc/hdb-samba4.c#L573"
moz-do-not-send="true" class="moz-txt-link-freetext">https://gitlab.com/samba-team/samba/-/blob/master/source4/kdc/hdb-samba4.c#L573</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Even if Microsoft clients do not use
this, we have found in the real world that third party
clients rely on this behaviour, so we need to know what else
might be encoded here.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<pre>-- <o:p></o:p></pre>
<div>
<p class="MsoNormal">Andrew Bartlett (he/him) <a
href="https://samba.org/~abartlet/"
moz-do-not-send="true" class="moz-txt-link-freetext">https://samba.org/~abartlet/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Member (since 2001) <a
href="https://samba.org/" moz-do-not-send="true"
class="moz-txt-link-freetext"> https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team Lead <a
href="https://catalyst.net.nz/services/samba"
moz-do-not-send="true" class="moz-txt-link-freetext">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:13.0pt">Catalyst.Net
Ltd</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Proudly developing Samba for
Catalyst.Net Ltd - a Catalyst IT group company<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support: <a
href="https://catalyst.net.nz/services/samba"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst IT - Expert Open Source
Solutions<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
cifs-protocol mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:cifs-protocol@lists.samba.org" moz-do-not-send="true">cifs-protocol@lists.samba.org</a>
<a class="moz-txt-link-freetext" href="https://lists.samba.org/mailman/listinfo/cifs-protocol" moz-do-not-send="true">https://lists.samba.org/mailman/listinfo/cifs-protocol</a>
</pre>
</blockquote>
</body>
</html>