[PATCH] s3-ntlm_auth: Fix gss-spnego-client to work with gss-spnego

Andrew Bartlett abartlet at samba.org
Wed Feb 1 00:43:40 MST 2012

On Wed, 2012-02-01 at 08:04 +0100, Kai Blin wrote:
> On 2012-01-31 19:24, Christof Schmitt wrote:
> Hi Christof,
> > i am working on moving the call to ads_verify_ticket from
> > ntlm_auth to winbindd. While trying to test the ntlm_auth client
> > and server mode together i found that the data format is not
> > compatible. The attached patch changes the client mode to be
> > compatible with the server mode.
> Good catch. We should probably add a test case for this so it doesn't
> break again. There's an existing python script capable of starting up
> server and client processes and copying the Base64 data between them. It
> might need some minor changes for spnego support, but it seems like a
> good place to start. source3/torture/test_ntlm_auth.py is the test
> script, source3/script/tests/test_ntlm_auth_s3.sh takes care of running
> the test from the testsuite.


That's very interesting.  The background here is that according to my
notes in source4/auth/gensec/gensec_krb5.c, Win2k3 at least allows this
wrapping to be omitted, so tt could be argued that the bug is in our
SPNEGO server for not accepting this abomination against the
standards :-)

Hopefully I'll be able to move ntlm_auth across to gensec soon
(following on from the work in the CIFS session setup code).  That will
probably fix this for master, but of course 3.6 will need this fixed one
way or the other.

Adding a test will be important in validating whatever work happens
here. The ktest environment and pre-computed credentials cache will help
cope with the lack of a KDC in the s3 test environment. 

On your original problem, please work with me closely to ensure we come
up with a solution that will last into the future.  We are working to
remove the manual GSSAPI parsing logic, and instead calling gensec and
the gensec_gse module.  In particular, I'm hoping that
ads_verify_ticket() will go away entirely, allowing us to remove a good
deal of manual SPNEGO code and krb5 implementation-specific code with
it, and letting us accept AES kerberos tickets.  

The challenge is that it may make the communication with winbind have
much more state than you were originally hoping, as a proxy here will
essentially need to remote the entire authentication exchange. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list