[RFC] fix bug 12007

Andrew Bartlett abartlet at samba.org
Wed Jul 6 11:11:29 UTC 2016 

On Wed, 2016-07-06 at 09:51 +0300, Uri Simchoni wrote:
> Simo,
> 
> I think we're in agreement that Heimdal is at fault here, so I
> propose
> the following:
> 1. Fix bundled Heimdal not to try the keytab at all unless a
> CLIENT_KRB5_KTNAME env is set, and try to upstream this.
> 2. We still remain with users (real or imaginary) that use out-of
> -tree
> Heimdal, 1.5.x or something, for a member server setup. For those we
> can't fix Heimdal, and its a change in samba that created the issue,
> the
> fact that it's a correct change notwithstanding. So I propose that
> for
> those (based on compile time defines) we use kinit always.
> 
> As for your remarks about kinit: The usage pattern for the net tool
> and
> for winbindd is:
> 1. Obtain username/password from secrets.tdb or (in the case of net)
> from the U parameter. There's no single-sign-on operation for net
> AFAICT.
> 2. sent KRB5_CCNAME to MEMORY:something, to create a separate ccache
> 3. Invoke libads (for ldap) and/or the smbcli (for smb) - those can
> theoretically share the credentials.
> 4. Internally, smb never assumes it got credentials from some prior
> operation, it always uses the user/password for kinit, whereas libads
> first tries gssapi, and if that fails runs kinit and re-tries.

A good deal of this can be made to work if we just use the credentials
interface fully, as we can and do tightly control the ccache use there,
when used with gensec_gssapi code.  

The gensec_gse code from source3 was never fully glued to this, out of
a desire at the time to not change behaviour, rather than seek correct
behaviour, when gensec was introduced 'as a wrapper' to the source3
code. 

This has been compounded by the change to use full GSSAPI to avoid the
badlock issues, where we previously still used hand-created
gssapi/krb5.

Since then we have successfully merged many components, and we should
either merge gensec_gssapi and gensec_gse or use gensec_gssapi in the
client. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list