[WIP PATCH] cli_session_setup_creds()
Andrew Bartlett
abartlet at samba.org
Wed Sep 21 02:13:39 UTC 2016
On Wed, 2016-09-21 at 00:03 +0200, Andreas Schneider wrote:
> Hello,
>
> I'm working on a not so trivial patchset for libsmb. I've added a new
> function
> cli_session_setup_creds() do pass through a 'struct cli_credentials'
> down to
> gensec/gssapi.
Yay! (Thanks for finishing some of what I was unable to push forward
to do, but always wanted to)
> I'm doing that for two reasons:
>
> a) I need that to pass down the correct realm from winbind to gssapi
> to
> correctly establish trusts with MIT Kerberos.
> b) Metze started to dance when he heard that I will work on passing
> down
> cli_crendentials :-)
I'm cheering as well!
> There popped up several issues while working on that patchset and I
> haven't
> sorted out all of them.
>
> First, several tests use the system credential store and shouldn't do
> that.
> The first patches in the attached patchset address that. They could
> already be
> pushed.
>
> Second, I move the "kinit" with username and password from
> cli_session_setup()
> to gensec. The new code correctly looks for existing tickets, checks
> expiration etc. if needed it acquires a new ticket. The first problem
> with the
> current heimdal we have, we mix krb5 and gssapi and this can lead to
> issues.
>
> Third some semantics we had before change. We are first checking for
> existing
> tickets and use them if they are still valid. If not we ask for a new
> krbtgt
> using the provided username/password. We didn't do that before.
This bit doesn't seem right, unless the ccache was forced with
CRED_SPECIFIED. The idea in cli_credentials was that if a username/pw
is specified, then we always get a new ticket with that.
Or put another way, the thing (ccache, username/pw) that is set with
the highest level wins, from GUESS, to ENV, to CALLBACK, to SPECIFIED.
I would love to talk this over next week if needed.
> An example is a password_settings test (see the FIXME commit). We
> changed the
> password and try to login with the old password using Kerberos. As we
> look for
> a valid ticket first and find one, we are able to login. The old code
> did not
> check for a valid ticket but forced a login. I would say it works now
> is
> correct ...
>
> 'make test' passed with that patchset.
>
>
> Please review and comment. I will test with MIT Kerberos tomorrow.
I will have a look, but I wanted to write back first to convey my
similar enthusiasm.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list