[WIP PATCH] cli_session_setup_creds()

Andrew Bartlett abartlet at samba.org
Wed Sep 21 02:13:39 UTC 2016 

On Wed, 2016-09-21 at 00:03 +0200, Andreas Schneider wrote:
> Hello,
> 
> I'm working on a not so trivial patchset for libsmb. I've added a new
> function 
> cli_session_setup_creds() do pass through a 'struct cli_credentials'
> down to 
> gensec/gssapi.

Yay!  (Thanks for finishing some of what I was unable to push forward
to do, but always wanted to)

> I'm doing that for two reasons:
> 
> a) I need that to pass down the correct realm from winbind to gssapi
> to 
>    correctly establish trusts with MIT Kerberos.
> b) Metze started to dance when he heard that I will work on passing
> down
>    cli_crendentials :-)

I'm cheering as well!

> There popped up several issues while working on that patchset and I
> haven't 
> sorted out all of them.
> 
> First, several tests use the system credential store and shouldn't do
> that. 
> The first patches in the attached patchset address that. They could
> already be 
> pushed.
> 
> Second, I move the "kinit" with username and password from
> cli_session_setup() 
> to gensec. The new code correctly looks for existing tickets, checks 
> expiration etc. if needed it acquires a new ticket. The first problem
> with the 
> current heimdal we have, we mix krb5 and gssapi and this can lead to
> issues. 
> 
> Third some semantics we had before change. We are first checking for
> existing 
> tickets and use them if they are still valid. If not we ask for a new
> krbtgt 
> using the provided username/password. We didn't do that before.

This bit doesn't seem right, unless the ccache was forced with
CRED_SPECIFIED.  The idea in cli_credentials was that if a username/pw
is specified, then we always get a new ticket with that.  

Or put another way, the thing (ccache, username/pw) that is set with
the highest level wins, from GUESS, to ENV, to CALLBACK, to SPECIFIED.

I would love to talk this over next week if needed.

> An example is a password_settings test (see the FIXME commit). We
> changed the 
> password and try to login with the old password using Kerberos. As we
> look for 
> a valid ticket first and find one, we are able to login. The old code
> did not 
> check for a valid ticket but forced a login. I would say it works now
> is 
> correct ...
> 
> 'make test' passed with that patchset.
> 
> 
> Please review and comment. I will test with MIT Kerberos tomorrow.

I will have a look, but I wanted to write back first to convey my
similar enthusiasm. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list