Bug 12611 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Summary: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-03-03 09:22 UTC by Alexander Bokovoy
Modified: 2017-03-27 09:32 UTC (History)
2 users (show)

See Also:

patch for git master (3.05 KB, patch)
2017-03-03 09:53 UTC, Alexander Bokovoy
no flags Details
smb_gss_krb5_import_cred for git master (16.95 KB, patch)
2017-03-08 16:57 UTC, Alexander Bokovoy
no flags Details
version for v4.6 (17.48 KB, patch)
2017-03-09 08:07 UTC, Alexander Bokovoy
asn: review+
addition patch for 4.6 (1.76 KB, patch)
2017-03-10 17:19 UTC, Alexander Bokovoy
asn: review+
new additional patch for 4.6 (1.89 KB, patch)
2017-03-14 11:06 UTC, Alexander Bokovoy
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2017-03-03 09:22:51 UTC
Use gss_acquire_cred() to obtain credentials from the default
credentials store for client-based GENSEC GSSAPI operation.

This allows proper execution under GSSAPI interposer plugin provided by
GSS-proxy project. GSS-proxy 0.6.2 makes possible to interpose
gss_acquire_cred() in a similar fashion to gss_acquire_cred_from().
While gss_acquire_cred_from() is a MIT extension, gss_acquire_cred() is
available in Heimdal as well and is used in other parts of Samba, namely
in source3's GENSEC gse module.

Client operation in GSS-proxy-enabled environment is needed for upcoming
FreeIPA 4.5 which internaly does privilege separation between its
framework and Apache front end code that handles actual authentication
of incoming client requests.

Samba Python bindings are used by FreeIPA framework to establish forest
trust between local Samba and remote Active Directory forests. When
FreeIPA administrator attempts to create a trust, FreeIPA uses S4U2Proxy
to allow HTTP/... principal to act on behalf of the remote administrator
credentials. With privilege separation in place, Samba GENSEC and
credentials code is unable to find actual tickets in the credential
cache available in the environment because GSS-proxy keeps them
encrypted and only accessible via GSSAPI calls that were interposed.

gss_krb5_import_cred() is not interposed, as many other direct Kerberos
extensions to GSSAPI. As result, we need to use a proper GSSAPI call here.
Comment 1 Alexander Bokovoy 2017-03-03 09:53:49 UTC
Created attachment 13008 [details]
patch for git master
Comment 2 Andreas Schneider 2017-03-03 11:48:20 UTC
I've already implemented this some time ago. But metze didn't want that change. See

Comment 3 Andreas Schneider 2017-03-03 11:52:39 UTC
We implemented it using: f981e2c9801cab2fbbf8017cd72a9c4987195f10

gss_acquire_cred() does not store it in the correct ccache ...
Comment 4 Alexander Bokovoy 2017-03-03 11:54:16 UTC
It seems gss_acquire_cred_from() approach is now feasible. We don't need server side working under gssproxy, so your branch is just fine.

See https://lists.samba.org/archive/samba-technical/2017-March/119065.html
Comment 5 Alexander Bokovoy 2017-03-08 16:56:20 UTC
After few rounds of reviews, here is current status

 - attached patch implements smb_gss_krb5_import_cred() via gss_acquire_cred_from() for MIT krb5 versions that have it (MIT 1.11 or later). The patch changes use of gss_krb5_import_cred() to this wrapper and moves the fallback code from source3/librpc/crypto/gse.c:gse_init_server() to the wrapper. The fallback code is needed for MIT krb5 prior 1.9.2.

 - the patch will be packported to 4.6

 - In git master we'll bump MIT krb5 requirements to 1.10. This allows us to remove the fallback code completely. MIT krb5 1.10 is actually shipped by all supported Linux and FreeBSD versions which originally used MIT krb5 1.9.

 - In git master we'll move from gss_krb5_import_cred() to a wrapper smb_gss_acquire_cred_from() that would be a pass-through to gss_krb5_acquire_cred_from() on MIT krb5 1.11 or later and will implement an equal functionality for Heimdal and older MIT versions (1.10.x).

The latter change will come in stages -- auth/credentials/credentials_krb5.c needs to be prepared for direct use of smb_gss_acquire_cred_from() first but given that we would already be using gss_acquire_cred_from() as part of smb_gss_krb5_import_cred() on contemporary MIT krb5 versions, that should be acceptable.
Comment 6 Alexander Bokovoy 2017-03-08 16:57:44 UTC
Created attachment 13032 [details]
smb_gss_krb5_import_cred for git master
Comment 7 Alexander Bokovoy 2017-03-09 08:07:12 UTC
Created attachment 13033 [details]
version for v4.6

The patchset is in git master now. I'm attaching v4.6 version which is cherry-picked from the git master.

Please apply.
Comment 8 Andreas Schneider 2017-03-09 14:14:01 UTC
Karolin, please add the patchset to the next samba 4.6 release. Thanks.
Comment 9 Alexander Bokovoy 2017-03-10 17:19:46 UTC
Created attachment 13036 [details]
addition patch for 4.6

Additional patch for 4.6, cherry-picked from git master 30c07065300281e3a67197fe39ed928346480ff7
Comment 10 Karolin Seeger 2017-03-14 09:45:01 UTC
Additional patch does not work:

user@host:/data/git/samba/v4-6-test$ git am samba-v4.6-credentials-fix-realm.patch
Patch format detection failed.

Patching manually works, but I am not sure whether the patch is complete, so please re-attach the patch, please.

Comment 11 Alexander Bokovoy 2017-03-14 11:06:30 UTC
Created attachment 13055 [details]
new additional patch for 4.6

Regenerated additional patch -- should be applied on top of the smb_gss_krb5_import_cred patchset.
Comment 12 Karolin Seeger 2017-03-23 11:19:07 UTC
Pushed to autobuild-v4-6-test.
Comment 13 Karolin Seeger 2017-03-27 09:32:42 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to v4-6-test.
Closing out bug report.