[RFC] fix bug 12007 (libads and kinit only as fallback)

Stefan Metzmacher metze at samba.org
Wed Jul 6 11:09:07 UTC 2016

Hi Uri,

> I think we're in agreement that Heimdal is at fault here, so I propose
> the following:
> 1. Fix bundled Heimdal not to try the keytab at all unless a
> CLIENT_KRB5_KTNAME env is set, and try to upstream this.
> 2. We still remain with users (real or imaginary) that use out-of-tree
> Heimdal, 1.5.x or something, for a member server setup. For those we
> can't fix Heimdal, and its a change in samba that created the issue, the
> fact that it's a correct change notwithstanding. So I propose that for
> those (based on compile time defines) we use kinit always.

First I think we can and should fix this in Samba code.
Having additional fixes for Heimdal is good, but we should not rely on them.

I'm not sure if it's related, but G√ľnther and I had to debug problems
where MIT libraries silently fallback to the default ccache
instead of using the explicitly set KRB5_ENV_CCNAME.

It might be related to gse_context_init() calling to krb5_cc_default_name().

I think that's a much worse problem than trying a AS-REQ without any

> As for your remarks about kinit: The usage pattern for the net tool and
> for winbindd is:
> 1. Obtain username/password from secrets.tdb or (in the case of net)
> from the U parameter. There's no single-sign-on operation for net AFAICT.
> 2. sent KRB5_CCNAME to MEMORY:something, to create a separate ccache
> 3. Invoke libads (for ldap) and/or the smbcli (for smb) - those can
> theoretically share the credentials.
> 4. Internally, smb never assumes it got credentials from some prior
> operation, it always uses the user/password for kinit,

That's not true, it only does it if a password is specified.

> whereas libads first tries gssapi, and if that fails runs kinit and re-tries.

What we really need to fix is the interaction of cli_credentials
and the gensec_gse module.

gensec_gssapi_client_creds() uses cli_credentials_get_client_gss_creds(),
while we just have "TODO: get krb5 ticket using username/password, if no
valid one already available in ccache"
in gse_init_client().

So as long term goal we need to get rid of the ok =
if (!ok) { ads_kinit_password(); ads_sasl_spnego_gensec_bind() } pattern.

I didn't change that within the badlock fixes, because we already had
more than enough patches.

As a short term fix we may use a similar the logic in libads as in libsmb.

The attached patches may need more work.

gse_init_client()->gse_context_init() with ccache_name=NULL
and ads_init_gssapi_cred() using ads->auth.ccache_name
might be the same or additional potential problems.

We really need to avoid using global envvars like "KRB5CCNAME".
If we have to, we need to set them just temporary before gssapi/krb5 calls
and unset them after the call again.

> I'll open a separate bug on the delegation issue.

I don't think we need one.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/13cd7197/signature.sig>

More information about the samba-technical mailing list