Spurious AS request in ads_sasl_spnego_bind() (was: Re: Event log 4768 audit failure)

Andrew Bartlett abartlet at samba.org
Sat Jun 18 20:23:08 UTC 2016 

On Sat, 2016-06-18 at 22:29 +0300, Uri Simchoni wrote:
> Hi,
> 
> I had a closer look at this, and it looks like the spurious AS
> request
> is created because in ads_sasl_spnego_bind(), the order of events is:
> 1. Try ads_sasl_spnego_gensec_bind()
> 2. If that fails, do a kinit and retry
> 
> Presumably, the idea is that step 1 is supposed to leverage a cached
> TGT, thus avoiding another AS handshake, and if there isn't any, do a
> kinit to obtain a TGT and retry the sasl bind.
> 
> What actually happens, is that in step 1, if there's no cached TGT,
> the
> code generates an AS request, but a wrong one - using the name of the
> current user (hence "root" as reported).
> 
> What I'm not sure about is what's the right direction for the fix -
> is
> it to avoid generating an AS request in step 1), or to generate the
> RIGHT AS request in step 1 (AFAIK, generating a TGT is outside the
> scope
> of GSSAPI, GSSAPI can only acquire a TGT from a cache, so I'm not
> sure
> why it even tries that).
> 
> Maybe we can use gensec to determine whether we have a TGT, instead
> of
> calling ads_sasl_spnego_gensec_bind() twice?
> 
> Instead of:
> ads_sasl_spnego_gensec_bind();
> if (!success) {
> 	ads_kinit_password();
> 	ads_sasl_spnego_gensec_bind();
> }
> 
> Change to:
> if (!gensec_we_have_a_tgt()) {
> 	ads_kinit_password();
> }
> ads_sasl_spnego_gensec_bind();
> 
> Any pointers/comments would be welcome.

Between gensec and cli_credentials, when fully implemented, it should
be able to do it all inside gensec, getting a ticket only when strictly
required.
However, in practice gensec_gse (used in source3) and gensec_gssapi
(used in source4) are quite different, and in the interests of not
changing behaviour, this smarter handling wasn't ported between the
implementations.  
Have a look at how smbclient4 works, and look at the call to
cli_credentials_get_client_gss_creds() in gensec_gssapi. 
Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list