Bug 15748 - Implement GSS_C_IDENTIFY_FLAG/NTLMSSP_FEATURE_IDENTIFY_ONLY
Summary: Implement GSS_C_IDENTIFY_FLAG/NTLMSSP_FEATURE_IDENTIFY_ONLY
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.21.1
Hardware: All All
: P5 enhancement (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-29 18:19 UTC by Michael Saxl
Modified: 2024-10-30 18:41 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saxl 2024-10-29 18:19:05 UTC
There exists a flag in both kerberos and ntlmssp that can be used by a client to instruct the server to not impersonate as the user.

quote from rfc4757:
   GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the
   server that it should only allow the server application to identify
   the client by name and ID, but not to impersonate the client.

the ntlm side:
"Identify: A Boolean setting that indicates that the caller wants the 
server to know the identity of the caller, but that the server not be 
allowed to impersonate the caller to resources on that system.
Setting this flag results in the NTLMSSP_NEGOTIATE_IDENTIFY flag being 
set. Indicates that the GSS_C_IDENTIFY_FLAG flag was set in the 
GSS_Init_sec_context call, as discussed in [RFC4757] section 7.1, and 
results in the GSS_C_IDENTIFY_FLAG flag set in the authenticator's 
checksum field ([RFC4757] section 7.1)."

My first idea how this could be impemented is as following:
Introduce a new GENSEC_FEATURE_IDENTIFY_ONLY
Setting this feature on a client enables either GSS_C_INDETIFY_FLAG or NTLMSS_NEGOTIATE_IDENTIFY. The client then needs to insist the server confirms that flag (for heimdal that probably is already done, so setting GSS_C_IDENTIFY_FLAG in gss_want_feature should be enough in source3/librpc/crypto/gse.c and auth4/gensec/gensec_gssapi.c), for ntlm we need to add that feature to the required features (I think this is in auth/ntlmssp).

Setting this feature on a server confirms that the application indeed does not impersonate (and as consequence confirm the feature if requested by the client)