third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2...

This lets us match the Windows FAST reply when the password is expired.

Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit fe90576871b5d644b9e888fd7a0b0351feaba750)

[jsutton@samba.org Fixed conflicts in knownfails and
 third_party/heimdal/kdc/fast.c]

Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Wed Jul  3 09:56:13 UTC 2024 on atb-devel-224

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index a3bca02695b44f96db0ce26dbdef986ecf05434c..8c4c7f73ff5a7e3018069936e36f339d6aadaa4e 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -75,11 +75,3 @@
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature_win2k.ad_dc
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature_win2k.ad_dc
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_win2k.ad_dc
-#
-# Lockout tests
-#
-^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_disabled_fast\(ad_dc:local\)$
-^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_expired_fast\(ad_dc:local\)$
-^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_locked_out_fast\(ad_dc:local\)$
-^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_must_change_fast\(ad_dc:local\)$
-^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_password_expired_fast\(ad_dc:local\)$

diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c
index b63d0b16a9d143714b9cd0dbe3185aa3f9761b57..b6dfab849feed82d2198b92e73954514031ddc5f 100644 (file)
--- a/third_party/heimdal/kdc/fast.c
+++ b/third_party/heimdal/kdc/fast.c
@@ -488,7 +488,18 @@ _kdc_fast_mk_error(astgs_request_t r,
 
     heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error");
 
-    if (r->e_data != NULL) {
+    if (!armor_crypto && r->e_data != NULL) {
+       /*
+        * If we’re not armoring the response with FAST, r->e_data
+        * takes precedence over the e‐data that would normally be
+        * generated. r->e_data typically contains a
+        * Microsoft‐specific NTSTATUS code.
+        *
+        * But if FAST is in use, Windows Server suppresses the
+        * NTSTATUS code in favour of an armored response
+        * encapsulating an ordinary KRB‐ERROR. So we ignore r->e_data
+        * in that case.
+        */
        e_data = r->e_data;
     } else {
        ret = _kdc_fast_mk_e_data(r,