[RFC] fix bug 12007 (libads and kinit only as fallback)

Stefan Metzmacher metze at samba.org
Wed Jul 6 11:15:53 UTC 2016


ENOPATCH...

Am 06.07.2016 um 13:09 schrieb Stefan Metzmacher:
> Hi Uri,
> 
>> I think we're in agreement that Heimdal is at fault here, so I propose
>> the following:
>> 1. Fix bundled Heimdal not to try the keytab at all unless a
>> CLIENT_KRB5_KTNAME env is set, and try to upstream this.
>> 2. We still remain with users (real or imaginary) that use out-of-tree
>> Heimdal, 1.5.x or something, for a member server setup. For those we
>> can't fix Heimdal, and its a change in samba that created the issue, the
>> fact that it's a correct change notwithstanding. So I propose that for
>> those (based on compile time defines) we use kinit always.
> 
> First I think we can and should fix this in Samba code.
> Having additional fixes for Heimdal is good, but we should not rely on them.
> 
> I'm not sure if it's related, but G√ľnther and I had to debug problems
> where MIT libraries silently fallback to the default ccache
> instead of using the explicitly set KRB5_ENV_CCNAME.
> 
> It might be related to gse_context_init() calling to krb5_cc_default_name().
> 
> I think that's a much worse problem than trying a AS-REQ without any
> password.
> 
>> As for your remarks about kinit: The usage pattern for the net tool and
>> for winbindd is:
>> 1. Obtain username/password from secrets.tdb or (in the case of net)
>> from the U parameter. There's no single-sign-on operation for net AFAICT.
>> 2. sent KRB5_CCNAME to MEMORY:something, to create a separate ccache
>> 3. Invoke libads (for ldap) and/or the smbcli (for smb) - those can
>> theoretically share the credentials.
>> 4. Internally, smb never assumes it got credentials from some prior
>> operation, it always uses the user/password for kinit,
> 
> That's not true, it only does it if a password is specified.
> 
>> whereas libads first tries gssapi, and if that fails runs kinit and re-tries.
> 
> What we really need to fix is the interaction of cli_credentials
> and the gensec_gse module.
> 
> gensec_gssapi_client_creds() uses cli_credentials_get_client_gss_creds(),
> while we just have "TODO: get krb5 ticket using username/password, if no
> valid one already available in ccache"
> in gse_init_client().
> 
> So as long term goal we need to get rid of the ok =
> ads_sasl_spnego_gensec_bind()
> if (!ok) { ads_kinit_password(); ads_sasl_spnego_gensec_bind() } pattern.
> 
> I didn't change that within the badlock fixes, because we already had
> more than enough patches.
> 
> As a short term fix we may use a similar the logic in libads as in libsmb.
> 
> The attached patches may need more work.
> 
> gse_init_client()->gse_context_init() with ccache_name=NULL
> and ads_init_gssapi_cred() using ads->auth.ccache_name
> might be the same or additional potential problems.
> 
> We really need to avoid using global envvars like "KRB5CCNAME".
> If we have to, we need to set them just temporary before gssapi/krb5 calls
> and unset them after the call again.
> 
>> I'll open a separate bug on the delegation issue.
> 
> I don't think we need one.
> 
> metze
> 
-------------- next part --------------
From 2dba6a45c14cc02df114cc70ed882c4a7de89d07 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:44:11 +0200
Subject: [PATCH 1/2] TODO: MEMORY:ads_sasl_spnego_bind

---
 source3/libads/sasl.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 10f63e8..190aa53 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -748,18 +748,24 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
-		status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-						     CRED_MUST_USE_KERBEROS,
-						     p.service, p.hostname,
-						     blob);
-		if (ADS_ERR_OK(status)) {
-			ads_free_service_principal(&p);
-			goto done;
-		}
+		if (ads->auth.password == NULL ||
+		    ads->auth.password[0] == '\0')
+		{
 
-		DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-			  "calling kinit\n", ads_errstr(status)));
+			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+							     CRED_MUST_USE_KERBEROS,
+							     p.service, p.hostname,
+							     blob);
+			if (ADS_ERR_OK(status)) {
+				ads_free_service_principal(&p);
+				goto done;
+			}
+
+			DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+				  "calling kinit\n", ads_errstr(status)));
+		}
 
+		setenv(KRB5_ENV_CCNAME, "MEMORY:ads_sasl_spnego_bind", 1);
 		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
 		if (ADS_ERR_OK(status)) {
-- 
1.9.1


From e0e12fb586c83af10e1076165a8817220c23fd2d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:48:11 +0200
Subject: [PATCH 2/2] TODO: MEMORY:ads_sasl_gssapi_do_bind

---
 source3/libads/sasl.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 190aa53..685b0f7 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1024,15 +1024,19 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 		return status;
 	}
 
-	status = ads_sasl_gssapi_do_bind(ads, p.name);
-	if (ADS_ERR_OK(status)) {
-		ads_free_service_principal(&p);
-		return status;
-	}
+	if (ads->auth.password == NULL ||
+	    ads->auth.password[0] == '\0')
+		status = ads_sasl_gssapi_do_bind(ads, p.name);
+		if (ADS_ERR_OK(status)) {
+			ads_free_service_principal(&p);
+			return status;
+		}
 
-	DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-		  "calling kinit\n", ads_errstr(status)));
+		DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+			  "calling kinit\n", ads_errstr(status)));
+	}
 
+	setenv(KRB5_ENV_CCNAME, "MEMORY:ads_sasl_gssapi_do_bind", 1);
 	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
 
 	if (ADS_ERR_OK(status)) {
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/2b529961/signature.sig>


More information about the samba-technical mailing list