[PATCH] How an AD KDC maps to NT_STATUS codes

Todd Stecher tstecher at isilon.com
Fri Mar 17 21:35:42 GMT 2006

On Fri, 2006-03-17 at 15:41 +0100, Guenther Deschner wrote:
> Hi,
> recently I found out how that magic krb5_error_code to NT_STATUS code
> mapping really works. It is quite simple: An AD KDC puts an ASN1 encoded
> blob (the octet string in that) into the edata field of a KRB5-ERROR
> packet.  If the first integer in that blob is "3", then an octet string
> follows which starts with a 32bit windows NTSTATUS code, followed by two
> uint32 (where the second is always 0x00000001). I doubt that the
> octet-string is really NDR encoded but that was the most convenient way to
> parse it for now.
> This requires to have a Kerberos library that passes back the unmodified
> and unparsed edata (which neither Heimdal nor MIT does at the moment, if I
> get this correctly). Doing it in Heimdal was the simplest way as it has
> already the "error_string" in the krb5_context.
> Getting the NTSTATUS code directly from the krb5 reply is rather important
> as our current self-made mapping for the kerberized pam_auth in winbindd
> (Samba3) is still very defective.
> Forgive me that the patches are very immature and unfinished. You get the
> overall idea, I guess.
> Cheers,
> Guenther

Good catch - I put that into Windows 2003 KDCs errors (as well as in
W2000 SP, I believe) to give a more granular failure code relevant to
Windows clients.  

For example, if you're dealing with an account restriction, the only
really applicable KERB_ERR is "client revoked".  Clearly this is not a
user friendly error, nor does it clearly convey what really happened to
the user / application performing the AS_REQ.

It's not NDR encoded, and is really just an ASN wrapped structure.
There's also another version of this edata floating around which is
"TYPED" related to some very specific error conditions - when I did the
first version of the edata, I was a protocol rookie (1 or 2 months on
the job), and likely didn't preserve the true semantics of the edata -
e.g. I didn't use it as a typed data blob...  Live and learn.


More information about the samba-technical mailing list