From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Dec 11 04:20:52 2009 Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 0C43ECCA06; Fri, 11 Dec 2009 04:20:52 +0000 (UTC) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBB4KpSA020970; Thu, 10 Dec 2009 23:20:51 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBAKqKYn024748 for ; Thu, 10 Dec 2009 15:52:20 -0500 Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id nBAKiZRX004448 for ; Thu, 10 Dec 2009 15:52:33 -0500 (EST) X-AuditID: 12074424-b7cfcae0000068a6-4f-4b215f636431 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by (Symantec Brightmail Gateway) with SMTP id DA.E1.26790.36F512B4; Thu, 10 Dec 2009 15:51:47 -0500 (EST) Received: from int-mx03.intmail.prod.int.phx2.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpkhH028603 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 10 Dec 2009 15:51:46 -0500 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23]) by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpjSp021132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 10 Dec 2009 15:51:46 -0500 Received: from blade.bos.redhat.com (localhost [127.0.0.1]) by blade.bos.redhat.com (8.14.3/8.14.3) with ESMTP id nBAKqBNj010077 for ; Thu, 10 Dec 2009 15:52:11 -0500 Received: (from nalin@localhost) by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id nBAKqBOt010076; Thu, 10 Dec 2009 15:52:11 -0500 Date: Thu, 10 Dec 2009 15:52:11 -0500 Message-Id: <200912102052.nBAKqBOt010076@blade.bos.redhat.com> To: krb5-bugs@mit.edu Subject: gss_krb5_copy_ccache() doesn't work with spnego delegation From: nalin@redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.42 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16 X-Brightmail-Tracker: AAAAAxIFCWQSBQvfEgUL4A== X-Spam-Score: 0.55 X-Spam-Flag: NO X-Mailman-Approved-At: Thu, 10 Dec 2009 23:20:45 -0500 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin@redhat.com Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: >Organization: Red Hat >Confidential: no >Synopsis: gss_krb5_copy_ccache() doesn't work with spnego delegation >Severity: non-critical >Priority: medium >Category: krb5-libs >Class: sw-bug >Release: 1.7 >Environment: System: Linux blade.bos.redhat.com 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: We're seeing problems in mod_auth_kerb with firefox as its client, when firefox is configured to delegate credentials and mod_auth_kerb is configured to save them to disk. In these cases, mod_auth_kerb is logging this error: Cannot store delegated credential (gss_krb5_copy_ccache: An unsupported mechanism was requested (, Unknown error)) Firefox is careful to use spnego when it's attempting negotiate auth, and other clients which aren't as careful (and which end up sending Kerberos tokens) work as expected. It looks like gss_krb5_copy_ccache() calls gssspi_set_cred_option() with the spnego credential handle, and gssspi_set_cred_option() returns GSS_S_BAD_MECH because the spnego mech doesn't provide a function for it to use. >How-To-Repeat: Configure a client which uses spnego (such as firefox) to delegate credentials to a server which attempts to store delegated creds to a Kerberos ccache, and attempt to authenticate to the service. >Fix: This is one possible patch. It punts a set_cred_option() call down to the mechanism for the first credential that we have whose mechanism implements a set_cred_option() method. I'm not sure this is the correct fix. If this is the right fix, we may also need to change gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE back from the mechanism-specific function, but then in cases where there are multiple credentials, the mechanism of the first one might not be the right one to use anyway. Index: src/lib/gssapi/spnego/gssapiP_spnego.h =================================================================== --- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23461) +++ src/lib/gssapi/spnego/gssapiP_spnego.h (working copy) @@ -352,6 +352,15 @@ ); OM_uint32 +spnego_gss_set_cred_option +( + OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + const gss_OID desired_object, + const gss_buffer_t value +); + +OM_uint32 spnego_gss_set_sec_context_option ( OM_uint32 *minor_status, Index: src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- src/lib/gssapi/spnego/spnego_mech.c (revision 23461) +++ src/lib/gssapi/spnego/spnego_mech.c (working copy) @@ -250,7 +250,7 @@ spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */ spnego_gss_inquire_cred_by_oid, /* gss_inquire_cred_by_oid */ spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */ - NULL, /* gssspi_set_cred_option */ + spnego_gss_set_cred_option, /* gssspi_set_cred_option */ NULL, /* gssspi_mech_invoke */ spnego_gss_wrap_aead, spnego_gss_unwrap_aead, @@ -2186,6 +2186,21 @@ } OM_uint32 +spnego_gss_set_cred_option( + OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + const gss_OID desired_object, + const gss_buffer_t value) +{ + OM_uint32 ret; + ret = gssspi_set_cred_option(minor_status, + cred_handle, + desired_object, + value); + return (ret); +} + +OM_uint32 spnego_gss_set_sec_context_option( OM_uint32 *minor_status, gss_ctx_id_t *context_handle,