gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues
Stefan Metzmacher
metze at samba.org
Sat Nov 7 08:32:06 UTC 2015
Am 06.11.2015 um 03:22 schrieb Richard Sharpe:
> On Wed, Nov 4, 2015 at 11:23 AM, Jeremy Allison <jra at samba.org> wrote:
>> On Wed, Nov 04, 2015 at 11:14:50AM -0800, Richard Sharpe wrote:
>>> On Wed, Nov 4, 2015 at 10:22 AM, Jeremy Allison <jra at samba.org> wrote:
>>>> On Wed, Nov 04, 2015 at 10:00:48AM -0800, Richard Sharpe wrote:
>>>>> Hi folks,
>>>>>
>>>>> A capture I have indicates that when a Windows server gets a
>>>>> KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
>>>>> STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
>>>>> the Kerberos error blob in it.
>>>>>
>>>>> Samba, and it looks like gensec, folds that down to LOGON_FAILED,
>>>>> which makes it very hard for admins to figure out what the real error
>>>>> is.
>>>>>
>>>>> Is there a bugzilla on this?
>>>>>
>>>>> If I get a chance I will try to provide a fix.
>>>>
>>>> I think that is intentional in order to prevent
>>>> username guessing attacks.
>>>
>>> That doesn't even pass the smell test. The KDC is responsible for
>>> preventing password guessing games.
>>
>> Sure, but smbd is also. Remember we have our own passdb
>> code which has to implement the same protections.
>>
>> However, I haven't looked at that bit of gensec recently
>> so you may be right here :-).
>
> It looks like perhaps in
> source3/librpc/crypto/gse.c:gse_get_server_auth_token in the default
> arm of the switch, if gse_min is KRB5KRB_AP_ERR_TKT_EXPIRED or
> KRB5KRB_AP_ERR_TKT_NYV we should return
> NT_STATIS_MORE_PROCESSING_REQUIRED.
>
> I will see if this produces a response more to the liking of Windows.
Can you file a bug report and attach network captures against windows
and against
Samba?
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151107/abccb2bc/signature.sig>
More information about the samba-technical
mailing list