[PATCH] How an AD KDC maps to NT_STATUS codes
Andrew Bartlett
abartlet at samba.org
Sun Mar 26 04:00:24 GMT 2006
On Fri, 2006-03-17 at 13:35 -0800, Todd Stecher wrote:
>
> Good catch - I put that into Windows 2003 KDCs errors (as well as in
> W2000 SP, I believe) to give a more granular failure code relevant to
> Windows clients.
>
> For example, if you're dealing with an account restriction, the only
> really applicable KERB_ERR is "client revoked". Clearly this is not a
> user friendly error, nor does it clearly convey what really happened to
> the user / application performing the AS_REQ.
>
> It's not NDR encoded, and is really just an ASN wrapped structure.
> There's also another version of this edata floating around which is
> "TYPED" related to some very specific error conditions - when I did the
> first version of the edata, I was a protocol rookie (1 or 2 months on
> the job), and likely didn't preserve the true semantics of the edata -
> e.g. I didn't use it as a typed data blob... Live and learn.
BTW, how does this relate to the GSS_C_EXTENDED_ERROR_FLAG on GSSAPI?
(From draft-brezak-win2k-krb-rc4-hmac-04.txt)
It seems from reading the draft that this turns it on for a particular
GSSAPI stream. Is that correct?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060326/8fda856a/attachment.bin
More information about the samba-technical
mailing list