[PATCH] How an AD KDC maps to NT_STATUS codes

Andrew Bartlett abartlet at samba.org
Sun Mar 26 04:00:24 GMT 2006

On Fri, 2006-03-17 at 13:35 -0800, Todd Stecher wrote:

> Good catch - I put that into Windows 2003 KDCs errors (as well as in
> W2000 SP, I believe) to give a more granular failure code relevant to
> Windows clients.  
> For example, if you're dealing with an account restriction, the only
> really applicable KERB_ERR is "client revoked".  Clearly this is not a
> user friendly error, nor does it clearly convey what really happened to
> the user / application performing the AS_REQ.
> It's not NDR encoded, and is really just an ASN wrapped structure.
> There's also another version of this edata floating around which is
> "TYPED" related to some very specific error conditions - when I did the
> first version of the edata, I was a protocol rookie (1 or 2 months on
> the job), and likely didn't preserve the true semantics of the edata -
> e.g. I didn't use it as a typed data blob...  Live and learn.

BTW, how does this relate to the GSS_C_EXTENDED_ERROR_FLAG on GSSAPI?  
(From draft-brezak-win2k-krb-rc4-hmac-04.txt)

It seems from reading the draft that this turns it on for a particular
GSSAPI stream.  Is that correct?


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060326/8fda856a/attachment.bin

More information about the samba-technical mailing list