gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues
Jeremy Allison
jra at samba.org
Wed Nov 4 18:22:08 UTC 2015
On Wed, Nov 04, 2015 at 10:00:48AM -0800, Richard Sharpe wrote:
> Hi folks,
>
> A capture I have indicates that when a Windows server gets a
> KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
> STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
> the Kerberos error blob in it.
>
> Samba, and it looks like gensec, folds that down to LOGON_FAILED,
> which makes it very hard for admins to figure out what the real error
> is.
>
> Is there a bugzilla on this?
>
> If I get a chance I will try to provide a fix.
I think that is intentional in order to prevent
username guessing attacks.
Does the real error get logged inside Samba
somewhere ?
More information about the samba-technical
mailing list