gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues
realrichardsharpe at gmail.com
Fri Nov 6 02:22:01 UTC 2015
On Wed, Nov 4, 2015 at 11:23 AM, Jeremy Allison <jra at samba.org> wrote:
> On Wed, Nov 04, 2015 at 11:14:50AM -0800, Richard Sharpe wrote:
>> On Wed, Nov 4, 2015 at 10:22 AM, Jeremy Allison <jra at samba.org> wrote:
>> > On Wed, Nov 04, 2015 at 10:00:48AM -0800, Richard Sharpe wrote:
>> >> Hi folks,
>> >> A capture I have indicates that when a Windows server gets a
>> >> KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
>> >> STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
>> >> the Kerberos error blob in it.
>> >> Samba, and it looks like gensec, folds that down to LOGON_FAILED,
>> >> which makes it very hard for admins to figure out what the real error
>> >> is.
>> >> Is there a bugzilla on this?
>> >> If I get a chance I will try to provide a fix.
>> > I think that is intentional in order to prevent
>> > username guessing attacks.
>> That doesn't even pass the smell test. The KDC is responsible for
>> preventing password guessing games.
> Sure, but smbd is also. Remember we have our own passdb
> code which has to implement the same protections.
> However, I haven't looked at that bit of gensec recently
> so you may be right here :-).
It looks like perhaps in
source3/librpc/crypto/gse.c:gse_get_server_auth_token in the default
arm of the switch, if gse_min is KRB5KRB_AP_ERR_TKT_EXPIRED or
KRB5KRB_AP_ERR_TKT_NYV we should return
I will see if this produces a response more to the liking of Windows.
More information about the samba-technical