Kerberos auth in ntlm_auth (samba 3)

Luiz Angelo Daros de Luca luizluca at gmail.com
Wed Aug 1 18:30:07 GMT 2007


Hello,

I'm trying to setup a ntlm_auth with kerberos authentication on a samba 3. I
modified the ntlm_auth to successfully
authenticate apache (with apache2-mod_auth_ntlm_winbind) on MIT kerberos 1.6.


ntlm_auth treats GSS-SPNEGO request for OID_NTLMSSP and OID_KERBEROS5_OLD
but not OID_KERBEROS5.
I'm trying to use:

http://msdn2.microsoft.com/en-us/library/ms995330.aspx#http-sso-2_topic4

as reference. I didn't found a client that was able to generate
OID_KERBEROS5_OLD requrests. Firefox and Konqueror
did just OID_KERBEROS5. I copied and changed ntlm_auth OID_KERBEROS5_OLD
treatment to treat OID_KERBEROS5.

First of all, OID_KERBEROS5_OLD will always segfalts as pac_data parameter
for ads_verify_ticket is set to NULL.

                        status = ads_verify_ticket(mem_ctx, lp_realm(), 0,

&request.negTokenInit.mechToken,
                                                   &principal, NULL,
&ap_rep,
                                                   &session_key);

NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
                           const char *realm,
                           time_t time_offset,
                           const DATA_BLOB *ticket,
                           char **principal,
                           PAC_DATA **pac_data,
                           DATA_BLOB *ap_rep,
                           DATA_BLOB *session_key)
{
(...)
*pac_data = NULL; // first pac_data Call

This should be fixed anyway...

I got messages like:

ads_secrets_verify_ticket: enc type [18] failed to decrypt with error
Invalid message type

if I use request.negTokenInit.mechToken as ticket for ads_verify_ticket. I
noticed that ads_verify_ticket whats a Kerberos AP-REQ as ticket but firefox
and konqueror were sending something different (GSSAPI?). It includes,
before Kerberos AP-REQ, KRB5 OID and krb4_tok_id. Who is rigth? Wireshark
decoded it correctly. As I don't know surelly what is it, I just skipped the
first 17th bytes and sent the remaining as 'ticket'. I also created a var to
fill pac_data place.

                        kerberos_token.data=kerberos_token.data+17;
                        kerberos_token.length=kerberos_token.length-17;

                        status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
                                                   &kerberos_token,
                                                   &principal, &pac_data,
&ap_rep,
                                                   &session_key);

Other apache module, mod_auth_krb5, uses that block as a parameter to
(GSSAPI) gss_accept_sec_context.

http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/src/mod_auth_kerb.c?revision=1.134&view=markup
http://modauthkerb.cvs.sourceforge.net/modauthkerb/mod_auth_kerb/spnegokrb5/accept_sec_context.c?revision=1.10&view=markup

Samba seems to not use gss calls and I don't know what is the rigth thing to
do.

ntlm_auth seems to be a little crappy (as my english). Almost any "non
expected" inputs results in segfaults (as clock screw). It just doesn't
treat the "other cases"

What you guys recommends? Finish this job (with some help) or just wait for
samba 4? ntlm_auth in samba 4 seems to be much better structured.



-- 
      Luiz Angelo Daros de Luca
            luizluca at gmail.com
              ICQ: 19290419

I Know, "Where you wanted to go today",
    but I decided to stop here instead!
                        MS Windows


More information about the samba-technical mailing list