[PATCH] s3-ntlm_auth: Fix gss-spnego-client to work with gss-spnego

Wed Feb 1 16:48:32 MST 2012

Andrew Bartlett <abartlet at samba.org> wrote on 02/01/2012 12:43:40 AM:

> On Wed, 2012-02-01 at 08:04 +0100, Kai Blin wrote:
> > On 2012-01-31 19:24, Christof Schmitt wrote:
> > 
> > Hi Christof,
> > 
> > > i am working on moving the call to ads_verify_ticket from
> > > ntlm_auth to winbindd. While trying to test the ntlm_auth client
> > > and server mode together i found that the data format is not
> > > compatible. The attached patch changes the client mode to be
> > > compatible with the server mode.
> > 
> > Good catch. We should probably add a test case for this so it doesn't
> > break again. There's an existing python script capable of starting up
> > server and client processes and copying the Base64 data between them. 
It
> > might need some minor changes for spnego support, but it seems like a
> > good place to start. source3/torture/test_ntlm_auth.py is the test
> > script, source3/script/tests/test_ntlm_auth_s3.sh takes care of 
running
> > the test from the testsuite.

Thanks for all the useful information. Due to shifting of
priorities, this work will have a lower priority for me the next
few weeks. I can try to add the test when i continue working on
this.

> That's very interesting.  The background here is that according to my
> notes in source4/auth/gensec/gensec_krb5.c, Win2k3 at least allows this
> wrapping to be omitted, so tt could be argued that the bug is in our
> SPNEGO server for not accepting this abomination against the
> standards :-)

Thanks for clarifying this. I just wanted to have a test before
moving on to the next step and stumbled across the
incompatibility in ntlm_auth.

> Hopefully I'll be able to move ntlm_auth across to gensec soon
> (following on from the work in the CIFS session setup code).  That will
> probably fix this for master, but of course 3.6 will need this fixed one
> way or the other.
> 
> Adding a test will be important in validating whatever work happens
> here. The ktest environment and pre-computed credentials cache will help
> cope with the lack of a KDC in the s3 test environment. 
> 
> On your original problem, please work with me closely to ensure we come
> up with a solution that will last into the future.  We are working to
> remove the manual GSSAPI parsing logic, and instead calling gensec and
> the gensec_gse module.  In particular, I'm hoping that
> ads_verify_ticket() will go away entirely, allowing us to remove a good
> deal of manual SPNEGO code and krb5 implementation-specific code with
> it, and letting us accept AES kerberos tickets. 

With moving the call to ads_verify_ticket i am trying to
implement an interface to winbind that allows verifying tickets
from a DC. With the current code i would have tried to have a
call into winbind that accepts the ticket and returns the data
from the verification that is currently used in ntlm_auth. The
idea is that other applications can use the same interface to
verify tickets through winbind.

> The challenge is that it may make the communication with winbind have
> much more state than you were originally hoping, as a proxy here will
> essentially need to remote the entire authentication exchange. 

What state would be necessary? My thinking is that a ticket would
be passed to winbindd that calls ads_verify_ticket (or the
replacement code for that) and winbindd returns some data from
the verification. Where would the additional state come into the
picture?

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)