Patch: Make source4 gensec_gssapi handle the case where gss_accept_sec_context returns a token on error
Richard Sharpe
realrichardsharpe at gmail.com
Sun Mar 20 22:07:01 UTC 2016
On Sun, Mar 20, 2016 at 2:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2016-03-20 at 07:56 -0700, Richard Sharpe wrote:
>> On Sun, Mar 20, 2016 at 1:15 AM, Andrew Bartlett <abartlet at samba.org>
>> wrote:
>> >
>> > On Sat, 2016-03-19 at 10:05 +0200, Alexander Bokovoy wrote:
>> >
>> > >
>> > > Sending non-empty output token is required by GSSAPI processing
>> > > regardless of the state we are in, see closing paragraphs of
>> > > 2.2.2
>> > > in RFC 2743:
>> > > ----------------------------
>> > > The output_token result, when non-NULL, provides a context-level
>> > > token
>> > > to be returned to the context initiator to continue a multi-step
>> > > context
>> > > establishment sequence. As noted with GSS_Init_sec_context(), any
>> > > returned token should be transferred to the context's peer (in
>> > > this
>> > > case, the context initiator), independent of the value of the
>> > > accompanying returned major_status.
>> > > ----------------------------
>> > Thanks! Sounds like we should pass it on, but not adjust the
>> > status
>> > variable. I do wonder if the rest of gensec (and callers) expects
>> > that, but it of course should also be adjusted.
>> Sigh,
>>
>> Look at frame 7 in the attached to convince yourself that it is a
>> Windows server responding (I don't think we support NEGOEX even now),
>> and frame 11 to see how Windows responds when an error token is
>> returned.
>>
>> I don't gratuitously make these changes.
>
> Thanks, I didn't previously have the context you gave above. A
> matching test would be a very good thing here, because this area is
> some of the more delicate in Samba, and we want to keep getting it
> right.
Got to think about the test. The client and the KDC have to be sync'd
within the required 5-minutes or whatever, and then the server we are
contacting has to have drifted far forward or backwards.
Not sure if this is even a case that can arise for Samba as an AD DC.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list