credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case

Stefan Metzmacher metze at samba.org
Fri Mar 3 12:12:59 UTC 2017 

Hi Alexander,

>>>>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>>>>> of Samba Python bindings in a privile separation mode provided by
>>>>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
>>>>> https://pagure.io/freeipa/issue/6671, Samba bug is
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12611
>>>>>
>>>>> Please see more details in the commit message.
>>>>
>>>> Please have a look at
>>>> https://bugzilla.samba.org/show_bug.cgi?id=12480
>>>> for the reasons why we can't use gss_acquire_cred().
>>> Sorry Metze, but you are wrong in this particular case.
>>>
>>> We are using gss_acquire_cred() in a lot of other places -- source3 code
>>> uses GENSEC GSE module on server side through auth_generic_prepare()
>>> which priorities GENSEC GSE. 
>>
>> No we only use gss_acquire_cred() as a fallback in gse_init_server()
>> when gss_krb5_import_cred() has a bug importing a keytab.
>>
>> Are you looking at an older relase? that doesn't have the #12480
>> patches?
> No, there is also gss_acquire_cred() in master for source3/libads/sasl.c
> but that is only used if gss_krb5_import_cred() is not defined.

We always have gss_krb5_import_cred() as we rely on MIT 1.9,
please review the attached patch to remove the #ifdef.

> For 4.5 I'd need to make sure #12480 is patched too.

It's in 4.5.4 and 4.4.10.

>>> However, cli_credentials_get_client_gss_creds() is only called in two
>>> places:
>>>
>>> - gensec_gssapi_client_creds() in source4/auth/gensec/gensec_gssapi.c
>>>   where it is called with default credentials cache. This is client side
>>>   use of GENSEC with GSSAPI and never is called inside winbindd where it
>>>   could stumble on MEMORY: ccaches.
>>
>> Will operate on cli_credentials_get_client_gss_creds() in almost all cases
>> where we use kerberos, e.g. when the user didn't 'kinit' before
>> and passed a password.
> Nope. It only is used when GENSEC GSSAPI is used. We have separate
> GENSEC Kerberos module that is using other codepaths and provides
> support for the same OIDs. Both don't work with gssproxy due to this
> bug.

gensec_gssapi.c is the module we're using for kerberos authentication!
gensec_krb5.c is only for simulating the 3.6 code and for the kpassword
sign/seal logic.

So gensec_gssapi.c is the one that's used with MEMORY ccaches all the time,
for command line credentials and for special smbtorture tests.

Note that we only use the default ccache if no -U is provided to the
command line
tools. In all other cases (I always use -U and never a separate kinit)
we use MEMORY
ccaches.

>> See my other mail for the solution we can aim for.
> I did reply to it already. We have two places where we want to use
> non-default ccache:
> 
> source3/libads/sasl.c:  maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
> 
> source3/librpc/crypto/gse.c:    gss_maj = gss_krb5_import_cred(&gss_min,
> source3/librpc/crypto/gse.c-                                   gse_ctx->ccache,
> 
> 
> Other four are using default ccache.

We almost never want to use the default cache!

> Changing to gss_acquire_cred_from()
> would mean we have to obtain default ccache name first and supply it as
> part of a cred store spec. I have code for that, but I was under
> impression you didn't like using gss_acquire_cred_from() at all.

No, I didn't like gss_acquire_cred()!

gss_acquire_cred_from() is fine, I just used gss_krb5_import_cred()
for now as up to now they provided the same functionality but portable
to all supported kerberos libraries.

Now that you showed a valid requirement to use gss_acquire_cred_from(),
we should do that via a wrapper.

> If you are OK for gss_acquire_cred_from(), I'll do a wrapper.

I am:-) Thanks!

metze
-------------- next part --------------
From 6747b11c746e6610d5e4eed98d20c064c57ca439 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 3 Mar 2017 12:56:24 +0100
Subject: [PATCH] s3:libads: remove unused fallback to gss_acquire_cred()

Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/libads/sasl.c | 27 ---------------------------
 1 file changed, 27 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 8570788..cb630fa 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -365,7 +365,6 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
 		return ADS_ERROR_KRB5(kerr);
 	}
 
-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
 	kerr = krb5_cc_resolve(kctx, ads->auth.ccache_name, &kccache);
 	if (kerr) {
 		status = ADS_ERROR_KRB5(kerr);
@@ -377,32 +376,6 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
 		status = ADS_ERROR_GSS(maj, min);
 		goto done;
 	}
-#else
-	/* We need to fallback to overriding the default creds.
-	 * This operation is not thread safe as it changes the process
-	 * environment variable, but we do not have any better option
-	 * with older kerberos libraries */
-	{
-		const char *oldccname = NULL;
-
-		oldccname = getenv("KRB5CCNAME");
-		setenv("KRB5CCNAME", ads->auth.ccache_name, 1);
-
-		maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
-				       NULL, GSS_C_INITIATE, cred, NULL, NULL);
-
-		if (oldccname) {
-			setenv("KRB5CCNAME", oldccname, 1);
-		} else {
-			unsetenv("KRB5CCNAME");
-		}
-
-		if (maj != GSS_S_COMPLETE) {
-			status = ADS_ERROR_GSS(maj, min);
-			goto done;
-		}
-	}
-#endif
 
 	status = ADS_SUCCESS;
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170303/4518e7c3/signature.sig>

More information about the samba-technical mailing list