credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case

Alexander Bokovoy ab at samba.org
Fri Mar 3 09:29:40 UTC 2017 

Hi,

Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
of Samba Python bindings in a privile separation mode provided by
GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
https://pagure.io/freeipa/issue/6671, Samba bug is
https://bugzilla.samba.org/show_bug.cgi?id=12611

Please see more details in the commit message.

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From d9b09b6c72c8d9a701758d4af91c3e7385b8332d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Fri, 3 Mar 2017 11:04:52 +0200
Subject: [PATCH] credentials_krb5: use gss_acquire_cred for client-side GSSAPI
 use case

Use gss_acquire_cred() to obtain credentials from the default
credentials store for client-based GENSEC GSSAPI operation.

This allows proper execution under GSSAPI interposer plugin provided by
GSS-proxy project. GSS-proxy 0.6.2 makes possible to interpose
gss_acquire_cred() in a similar fashion to gss_acquire_cred_from().
While gss_acquire_cred_from() is a MIT extension, gss_acquire_cred() is
available in Heimdal as well and is used in other parts of Samba, namely
in source3's GENSEC gse module.

Client operation in GSS-proxy-enabled environment is needed for upcoming
FreeIPA 4.5 which internaly does privilege separation between its
framework and Apache front end code that handles actual authentication
of incoming client requests.

Samba Python bindings are used by FreeIPA framework to establish forest
trust between local Samba and remote Active Directory forests. When
FreeIPA administrator attempts to create a trust, FreeIPA uses S4U2Proxy
to allow HTTP/... principal to act on behalf of the remote administrator
credentials. With privilege separation in place, Samba GENSEC and
credentials code is unable to find actual tickets in the credential
cache available in the environment because GSS-proxy keeps them
encrypted and only accessible via GSSAPI calls that were interposed.

gss_krb5_import_cred() is not interposed, as many other direct Kerberos
extensions to GSSAPI. As result, we need to use a proper GSSAPI call here.

GSS-proxy 0.6.3 will also handle gss_set_cred_option(), thus making
this minimal patch enough to enable FreeIPA 4.5 to operate in privilege
separation mode with Samba Python bindings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 auth/credentials/credentials_krb5.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d2a655e..53e4c6b 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -717,8 +717,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ENOMEM;
 	}
 
-	maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, 
-					&gcc->creds);
+	maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE,
+				    &gcc->creds, NULL, NULL);
 	if ((maj_stat == GSS_S_FAILURE) &&
 	    (min_stat == (OM_uint32)KRB5_CC_END ||
 	     min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
@@ -735,8 +735,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 			return ret;
 		}
 
-		maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
-						&gcc->creds);
+		maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE,
+					    &gcc->creds, NULL, NULL);
 
 	}
 
-- 
2.9.3

More information about the samba-technical mailing list