New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 806910 link

Starred by 1 user
Status: Verified
Owner:
ljusten@chromium.org
Closed: Feb 2018
Cc:
rsorokin@chromium.org
jra@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Chromad: Return proper error for unsupported enc type

Project Member Reported by ljusten@chromium.org, Jan 29 2018 
If encryption types don't match during Kerberos SSO, Samba shows

gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: KDC has no support for encryption type]

in the debug logs, but the displayed error is 

Failed to join domain: failed to connect to AD: An internal error occurred.

Make sure it returns a proper error that can be linked to the encryption type problem.

Comment 1 by ljusten@chromium.org, Feb 1 2018

Status: Started (was: Assigned)
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 1 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/ecbd2580249cf27a986cbc6c0ba0b662af759c8c

commit ecbd2580249cf27a986cbc6c0ba0b662af759c8c
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Feb 01 22:55:22 2018

Samba: Add patch to improve error handling

Adds a patch to handle a bunch of errors from gss_init_sec_context, in
particular an error when KDC does not support the requested encryption
type. This error is needed for Chromad to present the user a reasonable
error message.

Without the patch, Samba outputs an unspecific NT_STATUS_INTERNAL_ERROR.
With the patch, NT_STATUS_KDC_UNKNOWN_ETYPE is returned, which will be
handled in Chrome to present a proper error message to the user.

The error has come up during a cross-domain machine join operation (user
in domain A, machine joined to domain B). The KDC only allowed RC4-HMAC
crypto, but Chromad enforced the stronger AES crypto.

BUG= chromium:806910 
TEST=Samba compiles, tested on device

Change-Id: I34acdc26e8225270b190e876b1d393df0751351b
Reviewed-on: https://chromium-review.googlesource.com/892860
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[add] https://crrev.com/ecbd2580249cf27a986cbc6c0ba0b662af759c8c/net-fs/samba/files/samba-4.5.3-improve_gss_init_sec_context_error_handing.patch
[rename] https://crrev.com/ecbd2580249cf27a986cbc6c0ba0b662af759c8c/net-fs/samba/samba-4.5.3-r12.ebuild
[modify] https://crrev.com/ecbd2580249cf27a986cbc6c0ba0b662af759c8c/net-fs/samba/samba-4.5.3.ebuild

Comment 3 by ljusten@chromium.org, Feb 2 2018

Status: Fixed (was: Started)

Comment 4 by jingwee@chromium.org, Apr 14 2018

Status: Verified (was: Fixed)
Verified in M66.0.3359.102 10452.54.0 beta paine that the error is displayed for unsupported encryption type option selected.

Sign in to add a comment