[PATCH] Return correct gss-error to client.

Jeremy Allison jra at samba.org
Tue Jan 30 17:03:59 UTC 2018

Hi all,

Google ChromeOS restricts the enc types allowed for the kerberos
client. If the DC doesn't support these types it returns
KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.

Currently Samba doesn't pass this back to the caller as
NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated
for this specific error - it gets returned as NT_STATUS_LOGON_FAILURE,
which doesn't allow the caller to report the problem to the client GUI.

We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC,
this just adds another one to enable users to debug problems (so
this isn't a case of error squashing to prevent attacks).

Please review and push if happy !


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-librpc-Allow-client-to-correctly-report-etype-uns.patch
Type: text/x-diff
Size: 1021 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180130/2a6f1b38/0001-s3-librpc-Allow-client-to-correctly-report-etype-uns.diff>

More information about the samba-technical mailing list