[PATCH] How an AD KDC maps to NT_STATUS codes

Luke Howard lukeh at padl.com
Sat Mar 18 01:20:45 GMT 2006

Hi Guenther,

>recently I found out how that magic krb5_error_code to NT_STATUS code
>mapping really works. It is quite simple: An AD KDC puts an ASN1 encoded
>blob (the octet string in that) into the edata field of a KRB5-ERROR
>packet.  If the first integer in that blob is "3", then an octet string
>follows which starts with a 32bit windows NTSTATUS code, followed by two
>uint32 (where the second is always 0x00000001). I doubt that the
>octet-string is really NDR encoded but that was the most convenient way to
>parse it for now.

Good work! Maybe you can run dumpasn1 on it to deduce the containing


-- Luke


More information about the samba-technical mailing list