Samba4 with extensible security mechanisms
lukeh at padl.com
Fri May 13 08:47:05 MDT 2011
I'm pleased to report that I managed to get Samba4 working with Moonshot, a new GSS-API mechanism based on EAP, RADIUS, and SAML.
$ bin/smbclient --password samba --mechanism 184.108.40.206.4.1.53220.127.116.11 '\\server\moonshot'
EAP-TTLS: Authentication completed successfully
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
GSS-EAP: state transition AUTHENTICATE->INITIATOR_EXTS
GSS-EAP: state transition INITIATOR_EXTS->ACCEPTOR_EXTS
GSS-EAP: state transition ACCEPTOR_EXTS->ESTABLISHED
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
This is interesting not just to Moonshot, but to others that want to deploy GSS mechanisms such as SAML, OAuth and OpenID. There is nothing specific to Moonshot in Samba4.
Samba4 makes the following demands on a GSS mechanism beyond support for context establishment, mutual authentication, etc. First, the mechanism must be able to return a PAC as a GSS naming attribute. Secondly, it must expose a session key through the GSS_C_INQ_SSPI_SESSION_KEY context option. (These can be both accomplished through other context options, but those are private to Heimdal so I'm not advocating them.)
In the Moonshot case, the PAC is tunnelled over RADIUS (generated by the AAA server using S4U2Self), and the EAP mechanism provides the session key. Were it not for some limitations which I won't go into here, this doesn't require any changes to the Moonshot GSS mechanism.
I'll send the patches through shortly, but here's an overview of the changes I had to make to Samba4.
* try both gss_get_name_attribute() and gss_inquire_sec_context_by_oid() to obtain PAC
* try both GSS_C_INQ_SSPI_SESSION_KEY and gsskrb5_get_subkey() to obtain session key
* change "enum credentials_use_kerberos" to an enumeration indication disposition for arbitrary GSS mechanisms, and supplement it in struct cli_credentials with a mechanism OID
* pass selected mechanism OID into gss_init_sec_context()
* add a function to acquire non-Kerberos GSS credentials with gss_acquire_cred_with_password() or gss_acquire_cred()
* use gss_indicate_mechs_by_attrs() to build a list of GSS mechanisms to dynamically register from within gensec_gssapi_init()
* other miscellaneous fixes
I also updated the included Heimdal to the lukeh/moonshot branch, but it should be possible to use it with master as well (although you won't get gss_acquire_cred_with_password()).
More information about the samba-technical