[PATCH] Return correct gss-error to client.

Richard Sharpe realrichardsharpe at gmail.com
Tue Jan 30 17:10:33 UTC 2018

On Tue, Jan 30, 2018 at 9:03 AM, Jeremy Allison via samba-technical
<samba-technical at lists.samba.org> wrote:
> Hi all,
> Google ChromeOS restricts the enc types allowed for the kerberos
> client. If the DC doesn't support these types it returns
> KRB5KDC_ERR_ETYPE_NOSUPP as an error to the client code.
> Currently Samba doesn't pass this back to the caller as
> NT_STATUS_KDC_UNKNOWN_ETYPE, which is the NT status designated
> for this specific error - it gets returned as NT_STATUS_LOGON_FAILURE,
> which doesn't allow the caller to report the problem to the client GUI.
> We already handle KDC specific errors such as NT_STATUS_TIME_DIFFERENCE_AT_DC,
> this just adds another one to enable users to debug problems (so
> this isn't a case of error squashing to prevent attacks).
> Please review and push if happy !

FWIW, RB+ Richard Sharpe <realrichardsharpe at gmail.com>

Richard Sharpe

More information about the samba-technical mailing list