Following Steve's Question - Re Tokens in SPNEGO
wbrown at suse.de
Sat May 30 09:33:07 UTC 2020
> On 29 May 2020, at 20:40, Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org> wrote:
> Hi William,
> On pe, 29 touko 2020, William Brown via samba-technical wrote:
>> Hi there,
>> Thinking to Steve's question yesterday, it would be interesting to
>> know from the experts on this mailing list an answer. How what would
>> opaque token authentication look like in Samba? How would a passdb
>> support this style of authentication? How would a client get the token
>> to pass through?
>> It would be great to know more about this and explore some of these thoughts.
> My current thinking is around reusing existing infrastructure in the
> protocol. SMB3 authenticates with SPNEGO. SPNEGO allows to have multiple
> authentication mechanisms advertised, with most common ones being krb5
> and NTLM. These are not the only ones, a common extension mechanism
> called NEGOEX can be used as well.
> NEGOEX is basically a way to tunnel some method of authentication known
> to both client and server through SPNEGO. It doesn't need need to
> require a third party (like KDC) to broker an authenticity of the
> parties. MIT Kerberos supports NEGOEX since version 1.18, there are also
> patches for Heimdal.
How would the currest tdb passdb or ldapsam work with this? A hook where the content of the negoex is sent to that module?
IE think bearer tokens from oauth being passed in that can be validate, or a saml assertion where you can check as the passdb has a registered handler.
It would be interesting to know how a windows server + windows desktop, both joined to azure AD conduct their authentication in this case, since there should be no ntlm or krb involved ....
> gss_inquire_name(..., &attrs);
> find an attribute with the right name
> gss_get_name_attribute(..., name, attribute, ..., &value, ...);
> extract NT security token or something that can be used to construct
> it from the value with the right name
>  https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-SPNG/d2ccb21f-be95-426e-88b3-020bd39158f1
>  https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-SPNG/fe1b1adc-07f6-40c0-a36b-b4f75be2695e
> / Alexander Bokovoy
Senior Software Engineer, 389 Directory Server
More information about the samba-technical