gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues

Mon Nov 9 00:48:40 UTC 2015

On Sun, Nov 8, 2015 at 11:34 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sat, Nov 7, 2015 at 7:10 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Sat, Nov 7, 2015 at 12:32 AM, Stefan Metzmacher <metze at samba.org> wrote:
>>> Am 06.11.2015 um 03:22 schrieb Richard Sharpe:
>>>> On Wed, Nov 4, 2015 at 11:23 AM, Jeremy Allison <jra at samba.org> wrote:
>>>>> On Wed, Nov 04, 2015 at 11:14:50AM -0800, Richard Sharpe wrote:
>>>>>> On Wed, Nov 4, 2015 at 10:22 AM, Jeremy Allison <jra at samba.org> wrote:
>>>>>>> On Wed, Nov 04, 2015 at 10:00:48AM -0800, Richard Sharpe wrote:
>>>>>>>> Hi folks,
>>>>>>>>
>>>>>>>> A capture I have indicates that when a Windows server gets a
>>>>>>>> KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
>>>>>>>> STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
>>>>>>>> the Kerberos error blob in it.
>>>>>>>>
>>>>>>>> Samba, and it looks like gensec, folds that down to LOGON_FAILED,
>>>>>>>> which makes it very hard for admins to figure out what the real error
>>>>>>>> is.
>>>>>>>>
>>>>>>>> Is there a bugzilla on this?
>>>>>>>>
>>>>>>>> If I get a chance I will try to provide a fix.
>>>>>>>
>>>>>>> I think that is intentional in order to prevent
>>>>>>> username guessing attacks.
>>>>>>
>>>>>> That doesn't even pass the smell test. The KDC is responsible for
>>>>>> preventing password guessing games.
>>>>>
>>>>> Sure, but smbd is also. Remember we have our own passdb
>>>>> code which has to implement the same protections.
>>>>>
>>>>> However, I haven't looked at that bit of gensec recently
>>>>> so you may be right here :-).
>>>>
>>>> It looks like perhaps in
>>>> source3/librpc/crypto/gse.c:gse_get_server_auth_token in the default
>>>> arm of the switch, if gse_min is KRB5KRB_AP_ERR_TKT_EXPIRED or
>>>> KRB5KRB_AP_ERR_TKT_NYV we should return
>>>> NT_STATIS_MORE_PROCESSING_REQUIRED.
>>>>
>>>> I will see if this produces a response more to the liking of Windows.
>>>
>>> Can you file a bug report and attach network captures against windows
>>> and against
>>> Samba?
>>
>> OK, I will likely file a bug, but it looks like this is a problem to
>> do with the version of MIT Kerberos 5 you are using.
>>
>> Having done some debugging and a lot of code inspection, it looks like
>> this is not something that Samba can get right or wrong. The problem
>> is in gss_accept_sec_context in versions up to at least 1.10.3 and
>> perhaps later, but I have not checked all versions. Also, I have not
>> checked versions earlier than 1.10.3 in CentOS 6.6 so it might be a
>> regression in that version.
>>
>> In version 1.10.3+ (from CentOS/RHEL 6.6 krb5-1.10.3-37) there is a
>> path where it seems to forget to create an output token on an error
>> where the AP request was decoded, however, 10.13.2 does not seem to
>> have this bug.
>
> OK, after much screwing around with SPEC files, I managed to build the
> RPMs I needed with krb5-1.13.2 in them, installed them on my test
> machine, set the time forward and backward, and Samba generates the
> correct responses (that is, the same as Windows does.)
>
> So this is not a Samba bug, but I will still file a bug in case
> someone else searches for this issue as well.

One last comment:

W2K08 reports an Extended error when the server does the right thing.
It seems that it is Win10 that reports time sync issues.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)