gensec returns the wrong error to kerberos errors like Ticket Expired and clock skew issues
Richard Sharpe
realrichardsharpe at gmail.com
Wed Nov 4 19:14:50 UTC 2015
On Wed, Nov 4, 2015 at 10:22 AM, Jeremy Allison <jra at samba.org> wrote:
> On Wed, Nov 04, 2015 at 10:00:48AM -0800, Richard Sharpe wrote:
>> Hi folks,
>>
>> A capture I have indicates that when a Windows server gets a
>> KRB5KRB_AP_ERR_TKT_EXPIRED error it returns
>> STATUS_MORE_PROCESSING_REQUIRED along with an SPNEGO negTokenTarg with
>> the Kerberos error blob in it.
>>
>> Samba, and it looks like gensec, folds that down to LOGON_FAILED,
>> which makes it very hard for admins to figure out what the real error
>> is.
>>
>> Is there a bugzilla on this?
>>
>> If I get a chance I will try to provide a fix.
>
> I think that is intentional in order to prevent
> username guessing attacks.
That doesn't even pass the smell test. The KDC is responsible for
preventing password guessing games.
In this case the KDC issued a valid ticket, but because of a large
amount of clock skew between the server and the issuer the ticket was
regarded as expired.
Windows pops up a message telling the user that there is too much
clock skew in this case.
With the Samba response the user is simply prompted for his creds again.
> Does the real error get logged inside Samba
> somewhere ?
I am getting the QA guy to redo the tests and get me the Samba logs.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list