Following Steve's Question - Re Tokens in SPNEGO

William Brown wbrown at suse.de
Sat May 30 09:33:07 UTC 2020 


> On 29 May 2020, at 20:40, Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org> wrote:
> 
> Hi William,
> 
> On pe, 29 touko 2020, William Brown via samba-technical wrote:
>> Hi there,
>> 
>> Thinking to Steve's question yesterday, it would be interesting to
>> know from the experts on this mailing list an answer. How what would
>> opaque token authentication look like in Samba? How would a passdb
>> support this style of authentication? How would a client get the token
>> to pass through?
>> 
>> It would be great to know more about this and explore some of these thoughts. 
> 
> My current thinking is around reusing existing infrastructure in the
> protocol. SMB3 authenticates with SPNEGO[1]. SPNEGO allows to have multiple
> authentication mechanisms advertised, with most common ones being krb5
> and NTLM. These are not the only ones, a common extension mechanism
> called NEGOEX can be used as well[2].
> 
> NEGOEX is basically a way to tunnel some method of authentication known
> to both client and server through SPNEGO. It doesn't need need to
> require a third party (like KDC) to broker an authenticity of the
> parties. MIT Kerberos supports NEGOEX since version 1.18, there are also
> patches for Heimdal.

How would the currest tdb passdb or ldapsam work with this? A hook where the content of the negoex is sent to that module?

IE think bearer tokens from oauth being passed in that can be validate, or a saml assertion where you can check as the passdb has a registered handler.

It would be interesting to know how a windows server + windows desktop, both joined to azure AD conduct their authentication in this case, since there should be no ntlm or krb involved ....  

...

>  gss_inquire_name(..., &attrs);
> 
>  find an attribute with the right name
> 
>  gss_get_name_attribute(..., name, attribute, ..., &value, ...);
> 
>  extract NT security token or something that can be used to construct
>  it from the value with the right name
> 
> 
> [1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-SPNG/d2ccb21f-be95-426e-88b3-020bd39158f1
> [2] https://docs.microsoft.com/en-us/openspecs/windows_protocols/MS-SPNG/fe1b1adc-07f6-40c0-a36b-b4f75be2695e
> 
> -- 
> / Alexander Bokovoy
> 

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs

More information about the samba-technical mailing list