MIT Kerberos does not like the negTokenTarg returned by NetApp filers

Richard Sharpe realrichardsharpe at
Tue Jul 7 20:47:38 UTC 2020

Hi folks,

We ran into a problem recently when dealing with NetApp filers (both
7-Mode and C-Mode).

The KRB5 gss_init_sec_context call does not like the token returned
during SESSION SETUP requests because the encoding of the
supportedMech is not DER-encoded and it is assumed the length of the
supportedMech OID will never be larger than 127.

As a result it screws up the parsing of the negTokenTarg.

Windows, however, is fine with what NetApp servers return.

The following little patch, which the fine fellows at MIT are unhappy
with, fixes the problem:

--- src/lib/gssapi/spnego/spnego_mech.c.orig    2017-03-02
22:06:02.000000000 +0000
+++ src/lib/gssapi/spnego/spnego_mech.c 2020-06-29 21:07:05.749062072 +0000
@@ -3256,6 +3256,7 @@
        gss_OID_desc    toid;
        gss_OID         mech_out = NULL;
        unsigned char           *start, *end;
+       unsigned int    bytes;

        if (length < 1 || **buff_in != MECH_OID)
                return (NULL);
@@ -3264,9 +3265,11 @@
        end = start + length;

-       toid.length = *(*buff_in)++;

-       if ((*buff_in + toid.length) > end)
+       /* Get the length in a way that allows more impls to work */
+       toid.length = gssint_get_der_length(buff_in, length - 1, &bytes);
+       if (toid.length < 0 || (*buff_in + toid.length) > end)
                return (NULL);

        toid.elements = *buff_in;

As Ronnie Sahlberg points out, there is at least one more place in the
SPNEGO code where they assume that an OID length will never be greater
than 127.

Perhaps this will help someone some time.

Richard Sharpe

More information about the samba-technical mailing list