[RFC] fix bug 12007 (libads and kinit only as fallback)
Stefan Metzmacher
metze at samba.org
Wed Jul 6 11:15:53 UTC 2016
ENOPATCH...
Am 06.07.2016 um 13:09 schrieb Stefan Metzmacher:
> Hi Uri,
>
>> I think we're in agreement that Heimdal is at fault here, so I propose
>> the following:
>> 1. Fix bundled Heimdal not to try the keytab at all unless a
>> CLIENT_KRB5_KTNAME env is set, and try to upstream this.
>> 2. We still remain with users (real or imaginary) that use out-of-tree
>> Heimdal, 1.5.x or something, for a member server setup. For those we
>> can't fix Heimdal, and its a change in samba that created the issue, the
>> fact that it's a correct change notwithstanding. So I propose that for
>> those (based on compile time defines) we use kinit always.
>
> First I think we can and should fix this in Samba code.
> Having additional fixes for Heimdal is good, but we should not rely on them.
>
> I'm not sure if it's related, but Günther and I had to debug problems
> where MIT libraries silently fallback to the default ccache
> instead of using the explicitly set KRB5_ENV_CCNAME.
>
> It might be related to gse_context_init() calling to krb5_cc_default_name().
>
> I think that's a much worse problem than trying a AS-REQ without any
> password.
>
>> As for your remarks about kinit: The usage pattern for the net tool and
>> for winbindd is:
>> 1. Obtain username/password from secrets.tdb or (in the case of net)
>> from the U parameter. There's no single-sign-on operation for net AFAICT.
>> 2. sent KRB5_CCNAME to MEMORY:something, to create a separate ccache
>> 3. Invoke libads (for ldap) and/or the smbcli (for smb) - those can
>> theoretically share the credentials.
>> 4. Internally, smb never assumes it got credentials from some prior
>> operation, it always uses the user/password for kinit,
>
> That's not true, it only does it if a password is specified.
>
>> whereas libads first tries gssapi, and if that fails runs kinit and re-tries.
>
> What we really need to fix is the interaction of cli_credentials
> and the gensec_gse module.
>
> gensec_gssapi_client_creds() uses cli_credentials_get_client_gss_creds(),
> while we just have "TODO: get krb5 ticket using username/password, if no
> valid one already available in ccache"
> in gse_init_client().
>
> So as long term goal we need to get rid of the ok =
> ads_sasl_spnego_gensec_bind()
> if (!ok) { ads_kinit_password(); ads_sasl_spnego_gensec_bind() } pattern.
>
> I didn't change that within the badlock fixes, because we already had
> more than enough patches.
>
> As a short term fix we may use a similar the logic in libads as in libsmb.
>
> The attached patches may need more work.
>
> gse_init_client()->gse_context_init() with ccache_name=NULL
> and ads_init_gssapi_cred() using ads->auth.ccache_name
> might be the same or additional potential problems.
>
> We really need to avoid using global envvars like "KRB5CCNAME".
> If we have to, we need to set them just temporary before gssapi/krb5 calls
> and unset them after the call again.
>
>> I'll open a separate bug on the delegation issue.
>
> I don't think we need one.
>
> metze
>
-------------- next part --------------
From 2dba6a45c14cc02df114cc70ed882c4a7de89d07 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:44:11 +0200
Subject: [PATCH 1/2] TODO: MEMORY:ads_sasl_spnego_bind
---
source3/libads/sasl.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 10f63e8..190aa53 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -748,18 +748,24 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_MUST_USE_KERBEROS,
- p.service, p.hostname,
- blob);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- goto done;
- }
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ {
- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_MUST_USE_KERBEROS,
+ p.service, p.hostname,
+ blob);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ goto done;
+ }
+
+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+ setenv(KRB5_ENV_CCNAME, "MEMORY:ads_sasl_spnego_bind", 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1
From e0e12fb586c83af10e1076165a8817220c23fd2d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:48:11 +0200
Subject: [PATCH 2/2] TODO: MEMORY:ads_sasl_gssapi_do_bind
---
source3/libads/sasl.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 190aa53..685b0f7 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1024,15 +1024,19 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
return status;
}
- status = ads_sasl_gssapi_do_bind(ads, p.name);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- return status;
- }
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ status = ads_sasl_gssapi_do_bind(ads, p.name);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ return status;
+ }
- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+ setenv(KRB5_ENV_CCNAME, "MEMORY:ads_sasl_gssapi_do_bind", 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/2b529961/signature.sig>
More information about the samba-technical
mailing list