From fe90576871b5d644b9e888fd7a0b0351feaba750 Mon Sep 17 00:00:00 2001 From: Jo Sutton Date: Wed, 12 Jun 2024 14:42:38 +1200 Subject: [PATCH] third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This lets us match the Windows FAST reply when the password is expired. Windows clients were upset by the NTSTATUS field in the edata, apparently interpreting it to mean “insufficient resource”. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655 Signed-off-by: Jo Sutton Reviewed-by: Douglas Bagnall --- selftest/knownfail_heimdal_kdc | 8 -------- third_party/heimdal/kdc/fast.c | 13 ++++++++++++- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index b3df84e8959..811d3202729 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -156,11 +156,3 @@ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$ -# -# Lockout tests -# -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_disabled_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_expired_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_locked_out_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_must_change_fast\(ad_dc:local\)$ -^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_password_expired_fast\(ad_dc:local\)$ diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index bc77f74664c..d6b6ab2bbb3 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -482,7 +482,18 @@ _kdc_fast_mk_error(astgs_request_t r, heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error"); - if (r->e_data.length) { + if (!armor_crypto && r->e_data.length) { + /* + * If we’re not armoring the response with FAST, r->e_data + * takes precedence over the e‐data that would normally be + * generated. r->e_data typically contains a + * Microsoft‐specific NTSTATUS code. + * + * But if FAST is in use, Windows Server suppresses the + * NTSTATUS code in favour of an armored response + * encapsulating an ordinary KRB‐ERROR. So we ignore r->e_data + * in that case. + */ e_data = &r->e_data; } else { ret = _kdc_fast_mk_e_data(r,