The Samba-Bugzilla – Bug 12611
credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Last modified: 2017-03-27 09:32:42 UTC
Use gss_acquire_cred() to obtain credentials from the default
credentials store for client-based GENSEC GSSAPI operation.
This allows proper execution under GSSAPI interposer plugin provided by
GSS-proxy project. GSS-proxy 0.6.2 makes possible to interpose
gss_acquire_cred() in a similar fashion to gss_acquire_cred_from().
While gss_acquire_cred_from() is a MIT extension, gss_acquire_cred() is
available in Heimdal as well and is used in other parts of Samba, namely
in source3's GENSEC gse module.
Client operation in GSS-proxy-enabled environment is needed for upcoming
FreeIPA 4.5 which internaly does privilege separation between its
framework and Apache front end code that handles actual authentication
of incoming client requests.
Samba Python bindings are used by FreeIPA framework to establish forest
trust between local Samba and remote Active Directory forests. When
FreeIPA administrator attempts to create a trust, FreeIPA uses S4U2Proxy
to allow HTTP/... principal to act on behalf of the remote administrator
credentials. With privilege separation in place, Samba GENSEC and
credentials code is unable to find actual tickets in the credential
cache available in the environment because GSS-proxy keeps them
encrypted and only accessible via GSSAPI calls that were interposed.
gss_krb5_import_cred() is not interposed, as many other direct Kerberos
extensions to GSSAPI. As result, we need to use a proper GSSAPI call here.
Created attachment 13008 [details]
patch for git master
I've already implemented this some time ago. But metze didn't want that change. See
We implemented it using: f981e2c9801cab2fbbf8017cd72a9c4987195f10
gss_acquire_cred() does not store it in the correct ccache ...
It seems gss_acquire_cred_from() approach is now feasible. We don't need server side working under gssproxy, so your branch is just fine.
After few rounds of reviews, here is current status
- attached patch implements smb_gss_krb5_import_cred() via gss_acquire_cred_from() for MIT krb5 versions that have it (MIT 1.11 or later). The patch changes use of gss_krb5_import_cred() to this wrapper and moves the fallback code from source3/librpc/crypto/gse.c:gse_init_server() to the wrapper. The fallback code is needed for MIT krb5 prior 1.9.2.
- the patch will be packported to 4.6
- In git master we'll bump MIT krb5 requirements to 1.10. This allows us to remove the fallback code completely. MIT krb5 1.10 is actually shipped by all supported Linux and FreeBSD versions which originally used MIT krb5 1.9.
- In git master we'll move from gss_krb5_import_cred() to a wrapper smb_gss_acquire_cred_from() that would be a pass-through to gss_krb5_acquire_cred_from() on MIT krb5 1.11 or later and will implement an equal functionality for Heimdal and older MIT versions (1.10.x).
The latter change will come in stages -- auth/credentials/credentials_krb5.c needs to be prepared for direct use of smb_gss_acquire_cred_from() first but given that we would already be using gss_acquire_cred_from() as part of smb_gss_krb5_import_cred() on contemporary MIT krb5 versions, that should be acceptable.
Created attachment 13032 [details]
smb_gss_krb5_import_cred for git master
Created attachment 13033 [details]
version for v4.6
The patchset is in git master now. I'm attaching v4.6 version which is cherry-picked from the git master.
Karolin, please add the patchset to the next samba 4.6 release. Thanks.
Created attachment 13036 [details]
addition patch for 4.6
Additional patch for 4.6, cherry-picked from git master 30c07065300281e3a67197fe39ed928346480ff7
Additional patch does not work:
user@host:/data/git/samba/v4-6-test$ git am samba-v4.6-credentials-fix-realm.patch
Patch format detection failed.
Patching manually works, but I am not sure whether the patch is complete, so please re-attach the patch, please.
Created attachment 13055 [details]
new additional patch for 4.6
Regenerated additional patch -- should be applied on top of the smb_gss_krb5_import_cred patchset.
Pushed to autobuild-v4-6-test.
(In reply to Karolin Seeger from comment #12)
Pushed to v4-6-test.
Closing out bug report.