gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues

[Richard Sharpe]

Hi folks,

A capture I have indicates that when a Windows server gets a
KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
the Kerberos error blob in it.

Samba, and it looks like gensec, folds that down to LOGON_FAILED,
which makes it very hard for admins to figure out what the real error
is.

Is there a bugzilla on this?

If I get a chance I will try to provide a fix.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)