credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case

Alexander Bokovoy ab at samba.org
Fri Mar 3 12:07:00 UTC 2017 

On pe, 03 maalis 2017, Stefan Metzmacher wrote:
> Hi Alexander,
> 
> >>>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
> >>>> of Samba Python bindings in a privile separation mode provided by
> >>>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
> >>>> https://pagure.io/freeipa/issue/6671, Samba bug is
> >>>> https://bugzilla.samba.org/show_bug.cgi?id=12611
> >>>>
> >>>> Please see more details in the commit message.
> >>>
> >>> Please have a look at
> >>> https://bugzilla.samba.org/show_bug.cgi?id=12480
> >>> for the reasons why we can't use gss_acquire_cred().
> >>>
> >>> There needs to be another solution, sorry.
> >>
> >> As gss_acquire_cred_from() seems to be handled by gssproxy,
> >> I guess we need a wrapper in lib/krb5_wrap/gss_samba.[ch]
> >> that uses gss_acquire_cred_from() if available and
> >> gss_krb5_import_cred() otherwise.
> >>
> >> And that wrapper needs to be used everywhere we currently
> >> use gss_krb5_import_cred(). It should also hide the mess
> >> we currently use in gse_init_server() to work arround
> >> the broken gss_krb5_import_cred() server side.
> > That was my initial idea but the problem here is that we deal with it 
> > differently in different contexts. In client context we use GSSAPI creds
> > while in other places we use KRB5 ccache handle.
> > 
> > This particular code path is isolated from other use of
> > gss_krb5_import_cred(). And it does not need to specify explicit
> > credential cache because it is running in a client context and expects
> > to use the default ccache.
> 
> That's wrong this code path operates on multiple MEMORY caches
> in smbtorture.
> 
> gss_acquire_cred() never used again for initiator creds
> and only for acceptor creds as a fallback for a broken
> gss_krb5_import_cred().
> 
> So all places should use the wrapper that uses
> gss_acquire_cred_from() if available. It should
> otherwise use gss_krb5_import_cred() with
> a fallback only for the keytab only case
> to gsskrb5_register_acceptor_identity()/gss_acquire_cred().
So, what about Andreas' code from
https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-cli_creds
?

The only issue I see there is that when gensec_gssapi calls into
cli_credentials_get_client_gss_creds() with NULL ccache, it wants to get
the creds from the default ccache but Andreas' code will try to create a
new MEMORY: ccache. This is wrong for the use case we have with
cli_credentials_get_client_gss_creds() because this ccache is empty and
default one contains actual credentials.


-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list