[RFC] fix bug 12007

Uri Simchoni uri at samba.org
Sun Jul 3 21:00:54 UTC 2016


Attached is a proposed fix for bug 12007 - spurious AS requests for
"root at my.domain.com" generated by a member server. Still running it
through local autobuild.

The issue surfaced after the April security release, that started using
gensec_gse for binding ldap connections.

The root cause is that with Heimdal, gss_acquire_cred() is generating
this AS request if the credentials are not found in the ccache. I have
no idea what good can possibly come out of this AS request for any user
of Kerberos. The attached fix replaces gss_acquire_cred by

I'd like some feedback from those familiar with this code -
1. It could be that the right fix is in Heimdal
2. The reason for acquiring the credentials (in client context!) seems
to be to be able to set GSS_KRB5_CRED_NO_CI_FLAGS_X option on the
credentials - not sure what scenario this fixes and how to test there's
no degradation there.
3. Perhaps someone can easily determine the MIT behavior - if MIT is not
sending this request then maybe the patch should be #ifdef'd on Kerberos
type - use the more portable gss_acquire_cred() with MIT Kerberos.

-------------- next part --------------
From 7ffb036a28b66a145ae479b67b8100ed4a010262 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Sun, 3 Jul 2016 23:46:17 +0300
Subject: [PATCH] s3-gse: initialize client without generating Kerberos traffic

use gss_krb5_import_cred() instead of gss_acquire_cred() when
initializing client, because gss_acquire_cred() generates, at
least with Heimdal, an extra AS request if the credentials
do not exist in the credential cache.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Uri Simchoni <uri at samba.org>
 source3/librpc/crypto/gse.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..ec7453a 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -204,7 +204,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 	struct gse_context *gse_ctx;
 	OM_uint32 gss_maj, gss_min;
 	gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
 	gss_OID_set_desc mech_set;
 	gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
@@ -249,6 +251,16 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 	/* TODO: get krb5 ticket using username/password, if no valid
 	 * one already available in ccache */
+	/* At least for Heimdal, gss_acquire_cred() generates an
+	 * AS request if no credentials are available - on behalf
+	 * of the user who is running. We don't want that, but I
+	 * have no idea how to stop it. gss_krb5_import_cred()
+	 * has no such side effects.
+	 */
+	gss_maj = gss_krb5_import_cred(&gss_min, gse_ctx->ccache, NULL, NULL,
+				       &gse_ctx->creds);
 	mech_set.count = 1;
 	mech_set.elements = &gse_ctx->gss_mech;
@@ -259,6 +271,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 				   NULL, NULL);
 	if (gss_maj) {
 		DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -"
 			  "the caller may retry after a kinit.\n",

More information about the samba-technical mailing list