MIT Kerberos does not like the negTokenTarg returned by NetApp filers
realrichardsharpe at gmail.com
Tue Jul 7 20:47:38 UTC 2020
We ran into a problem recently when dealing with NetApp filers (both
7-Mode and C-Mode).
The KRB5 gss_init_sec_context call does not like the token returned
during SESSION SETUP requests because the encoding of the
supportedMech is not DER-encoded and it is assumed the length of the
supportedMech OID will never be larger than 127.
As a result it screws up the parsing of the negTokenTarg.
Windows, however, is fine with what NetApp servers return.
The following little patch, which the fine fellows at MIT are unhappy
with, fixes the problem:
--- src/lib/gssapi/spnego/spnego_mech.c.orig 2017-03-02
+++ src/lib/gssapi/spnego/spnego_mech.c 2020-06-29 21:07:05.749062072 +0000
@@ -3256,6 +3256,7 @@
gss_OID mech_out = NULL;
unsigned char *start, *end;
+ unsigned int bytes;
if (length < 1 || **buff_in != MECH_OID)
@@ -3264,9 +3265,11 @@
end = start + length;
- toid.length = *(*buff_in)++;
- if ((*buff_in + toid.length) > end)
+ /* Get the length in a way that allows more impls to work */
+ toid.length = gssint_get_der_length(buff_in, length - 1, &bytes);
+ if (toid.length < 0 || (*buff_in + toid.length) > end)
toid.elements = *buff_in;
As Ronnie Sahlberg points out, there is at least one more place in the
SPNEGO code where they assume that an OID length will never be greater
Perhaps this will help someone some time.
More information about the samba-technical