kdc: Allow plugin to override KDC reply e-data

[jsutton24]

This is useful in order to produce custom error responses, as Windows does for NTSTATUS codes.

[jsutton24]

Rebased on master.

[abartlet]

@nicowilliams It would be very helpful to get this merged, we think we have addressed all the concerns raised by @lhoward. This change is quite important to Samba because if we don't get the error replies matching windows exactly we get clients retrying in a way that locks them out twice as fast under "bad password lockout".

[abartlet]

The recent update by @josephsutton1 is related to https://gitlab.com/samba-team/samba/-/merge_requests/3377 - without that change Heimdal clients against a Windows DC that is imposing a Silo / authentication policy restriction gets a very confusing Miscellaneous failure (see text): Failed to decode METHOD-DATA (host/winclient@ADDOM.SAMBA.EXAMPLE.COM)

[jsutton24]

Just below this we have:

	    /*
	     * Unwrap KRB-ERROR, we are always calling this so that
	     * FAST can tell us if your peer KDC suddenly dropped FAST
	     * wrapping and its really an attacker's packet (or a bug
	     * in the KDC).
	     */
	    ret = _krb5_fast_unwrap_error(context, ctx->nonce, &ctx->fast_state,
					  &ctx->md, &ctx->error);

and a similar call in the get_cred_kdc() case.

The problem is that KERB-ERROR-DATA is not wrapped in FX-FAST, but _krb5_fast_unwrap_error() will notice if the reply is supposed to be FAST‐armored (and give the potentially confusing error message “FAST fast response is missing FX-FAST”).

Is it safe to bypass this call and treat a KERB-ERROR-DATA response as authoritative when we can’t guarantee that the KDC really issued the response?

[jsutton24]

I checked the FAST RFC, which says:

“If the Kerberos FAST padata is included in the request but not included in the error reply, it is a matter of the local policy on the client to accept the information in the error message without integrity protection. However, the client SHOULD process the KDC errors as the result of the KDC's inability to accept the AP_REQ armor and potentially retry another request with a different armor when applicable” — that’s not the case here. “The Kerberos client MAY process an error message without a PA-FX-FAST-REPLY, if that is only intended to return better error information to the application, typically for trouble-shooting purposes.”

https://datatracker.ietf.org/doc/html/rfc6113#section-5.4.4

[jsutton24]

Now Samba will produce error messages that are a bit more helpful:

Miscellaneous failure (see text): KDC policy rejects request (NT status code 0xc0000413) (host/winclient@ADDOM.SAMBA.EXAMPLE.COM)

[jsutton24]

Sigh, MSVC appears to violate the C standard by supporting uint32_t but not PRIx32.

[jsutton24]

Instead, MSVC forces us to use "%I32x".

[abartlet]

That could be put into a define in roken if we wanted.

[jsutton24]

This won’t work. We need to continue to the ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->runflags.change_password_prompt case so that the user can be prompted to change their password if it has expired.