credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Stefan Metzmacher
metze at samba.org
Fri Mar 3 12:12:59 UTC 2017
Hi Alexander,
>>>>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>>>>> of Samba Python bindings in a privile separation mode provided by
>>>>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
>>>>> https://pagure.io/freeipa/issue/6671, Samba bug is
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12611
>>>>>
>>>>> Please see more details in the commit message.
>>>>
>>>> Please have a look at
>>>> https://bugzilla.samba.org/show_bug.cgi?id=12480
>>>> for the reasons why we can't use gss_acquire_cred().
>>> Sorry Metze, but you are wrong in this particular case.
>>>
>>> We are using gss_acquire_cred() in a lot of other places -- source3 code
>>> uses GENSEC GSE module on server side through auth_generic_prepare()
>>> which priorities GENSEC GSE.
>>
>> No we only use gss_acquire_cred() as a fallback in gse_init_server()
>> when gss_krb5_import_cred() has a bug importing a keytab.
>>
>> Are you looking at an older relase? that doesn't have the #12480
>> patches?
> No, there is also gss_acquire_cred() in master for source3/libads/sasl.c
> but that is only used if gss_krb5_import_cred() is not defined.
We always have gss_krb5_import_cred() as we rely on MIT 1.9,
please review the attached patch to remove the #ifdef.
> For 4.5 I'd need to make sure #12480 is patched too.
It's in 4.5.4 and 4.4.10.
>>> However, cli_credentials_get_client_gss_creds() is only called in two
>>> places:
>>>
>>> - gensec_gssapi_client_creds() in source4/auth/gensec/gensec_gssapi.c
>>> where it is called with default credentials cache. This is client side
>>> use of GENSEC with GSSAPI and never is called inside winbindd where it
>>> could stumble on MEMORY: ccaches.
>>
>> Will operate on cli_credentials_get_client_gss_creds() in almost all cases
>> where we use kerberos, e.g. when the user didn't 'kinit' before
>> and passed a password.
> Nope. It only is used when GENSEC GSSAPI is used. We have separate
> GENSEC Kerberos module that is using other codepaths and provides
> support for the same OIDs. Both don't work with gssproxy due to this
> bug.
gensec_gssapi.c is the module we're using for kerberos authentication!
gensec_krb5.c is only for simulating the 3.6 code and for the kpassword
sign/seal logic.
So gensec_gssapi.c is the one that's used with MEMORY ccaches all the time,
for command line credentials and for special smbtorture tests.
Note that we only use the default ccache if no -U is provided to the
command line
tools. In all other cases (I always use -U and never a separate kinit)
we use MEMORY
ccaches.
>> See my other mail for the solution we can aim for.
> I did reply to it already. We have two places where we want to use
> non-default ccache:
>
> source3/libads/sasl.c: maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
>
> source3/librpc/crypto/gse.c: gss_maj = gss_krb5_import_cred(&gss_min,
> source3/librpc/crypto/gse.c- gse_ctx->ccache,
>
>
> Other four are using default ccache.
We almost never want to use the default cache!
> Changing to gss_acquire_cred_from()
> would mean we have to obtain default ccache name first and supply it as
> part of a cred store spec. I have code for that, but I was under
> impression you didn't like using gss_acquire_cred_from() at all.
No, I didn't like gss_acquire_cred()!
gss_acquire_cred_from() is fine, I just used gss_krb5_import_cred()
for now as up to now they provided the same functionality but portable
to all supported kerberos libraries.
Now that you showed a valid requirement to use gss_acquire_cred_from(),
we should do that via a wrapper.
> If you are OK for gss_acquire_cred_from(), I'll do a wrapper.
I am:-) Thanks!
metze
-------------- next part --------------
From 6747b11c746e6610d5e4eed98d20c064c57ca439 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 3 Mar 2017 12:56:24 +0100
Subject: [PATCH] s3:libads: remove unused fallback to gss_acquire_cred()
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libads/sasl.c | 27 ---------------------------
1 file changed, 27 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 8570788..cb630fa 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -365,7 +365,6 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
return ADS_ERROR_KRB5(kerr);
}
-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
kerr = krb5_cc_resolve(kctx, ads->auth.ccache_name, &kccache);
if (kerr) {
status = ADS_ERROR_KRB5(kerr);
@@ -377,32 +376,6 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
status = ADS_ERROR_GSS(maj, min);
goto done;
}
-#else
- /* We need to fallback to overriding the default creds.
- * This operation is not thread safe as it changes the process
- * environment variable, but we do not have any better option
- * with older kerberos libraries */
- {
- const char *oldccname = NULL;
-
- oldccname = getenv("KRB5CCNAME");
- setenv("KRB5CCNAME", ads->auth.ccache_name, 1);
-
- maj = gss_acquire_cred(&min, GSS_C_NO_NAME, GSS_C_INDEFINITE,
- NULL, GSS_C_INITIATE, cred, NULL, NULL);
-
- if (oldccname) {
- setenv("KRB5CCNAME", oldccname, 1);
- } else {
- unsetenv("KRB5CCNAME");
- }
-
- if (maj != GSS_S_COMPLETE) {
- status = ADS_ERROR_GSS(maj, min);
- goto done;
- }
- }
-#endif
status = ADS_SUCCESS;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170303/4518e7c3/signature.sig>
More information about the samba-technical
mailing list