diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index b3df84e8959..811d3202729 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -156,11 +156,3 @@ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$ -# -# Lockout tests -# -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_disabled_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_expired_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_locked_out_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_must_change_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_password_expired_fast\(ad_dc:local\)$ diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index bc77f74664c..d6b6ab2bbb3 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -482,7 +482,18 @@ _kdc_fast_mk_error(astgs_request_t r, heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error"); - if (r->e_data.length) { + if (!armor_crypto && r->e_data.length) { + /* + * If we’re not armoring the response with FAST, r->e_data + * takes precedence over the e‐data that would normally be + * generated. r->e_data typically contains a + * Microsoft‐specific NTSTATUS code. + * + * But if FAST is in use, Windows Server suppresses the + * NTSTATUS code in favour of an armored response + * encapsulating an ordinary KRB‐ERROR. So we ignore r->e_data + * in that case. + */ e_data = &r->e_data; } else { ret = _kdc_fast_mk_e_data(r,