From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 24 Feb 2017 17:30:56 +0000 (+0100)
Subject: s4:ldap_server: match windows in the error messages of failing LDAP Bind requests
X-Git-Tag: tdb-1.3.13~665
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81ccdad9d045a7a6d6a569d1685bb0bf4e64d12a;p=thirdparty%2Fsamba.git

s4:ldap_server: match windows in the error messages of failing LDAP Bind requests

This is important for some applications to detect the
NT_STATUS_PASSWORD_MUST_CHANGE condition correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index 1264d115c87..aad89315508 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -29,6 +29,37 @@
 #include "param/param.h"
 #include "../lib/util/tevent_ntstatus.h"
 
+static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx,
+				    HRESULT hresult,
+				    uint32_t DSID,
+				    NTSTATUS status)
+{
+	WERROR werr;
+	char *msg = NULL;
+
+	status = nt_status_squash(status);
+	werr = ntstatus_to_werror(status);
+
+	/*
+	 * There are 4 lower case hex digits following 'v' at the end,
+	 * but different Windows Versions return different values:
+	 *
+	 * Windows 2008R2 uses 'v1db1'
+	 * Windows 2012R2 uses 'v2580'
+	 *
+	 * We just match Windows 2008R2 as that's what was referenced
+	 * in https://bugzilla.samba.org/show_bug.cgi?id=9048
+	 */
+	msg = talloc_asprintf(mem_ctx, "%08X: LdapErr: DSID-%08X, comment: "
+			      "AcceptSecurityContext error, data %x, v1db1",
+			      (unsigned)HRES_ERROR_V(hresult),
+			      (unsigned)DSID,
+			      (unsigned)W_ERROR_V(werr));
+
+	return msg;
+}
+
+
 static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 {
 	struct ldap_BindRequest *req = &call->request->r.BindRequest;
@@ -95,7 +126,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 		status = nt_status_squash(status);
 
 		result = LDAP_INVALID_CREDENTIALS;
-		errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status));
+		errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_INVALID_TOKEN,
+						0x0C0903A9, status);
 	}
 
 do_reply:
@@ -344,7 +376,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
 		status = nt_status_squash(status);
 		if (result == 0) {
 			result = LDAP_INVALID_CREDENTIALS;
-			errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
+			errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED,
+							0x0C0904DC, status);
 		}
 		talloc_unlink(conn, conn->gensec);
 		conn->gensec = NULL;