From krb5-bugs-incoming-bounces@PCH.mit.edu Fri Dec 11 04:20:52 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 0C43ECCA06;
Fri, 11 Dec 2009 04:20:52 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBB4KpSA020970;
Thu, 10 Dec 2009 23:20:51 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBAKqKYn024748
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 10 Dec 2009 15:52:20 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
nBAKiZRX004448
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:33 -0500 (EST)
X-AuditID: 12074424-b7cfcae0000068a6-4f-4b215f636431
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by (Symantec Brightmail Gateway) with SMTP id DA.E1.26790.36F512B4;
Thu, 10 Dec 2009 15:51:47 -0500 (EST)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpkhH028603
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id nBAKpjSp021132
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.3/8.14.3) with ESMTP id nBAKqBNj010077
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:11 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id nBAKqBOt010076;
Thu, 10 Dec 2009 15:52:11 -0500
Date: Thu, 10 Dec 2009 15:52:11 -0500
Message-Id: <200912102052.nBAKqBOt010076@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: gss_krb5_copy_ccache() doesn't work with spnego delegation
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAxIFCWQSBQvfEgUL4A==
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Thu, 10 Dec 2009 23:20:45 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux blade.bos.redhat.com 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
firefox is configured to delegate credentials and mod_auth_kerb is
configured to save them to disk. In these cases, mod_auth_kerb is
logging this error:
Cannot store delegated credential (gss_krb5_copy_ccache: An unsupported mechanism was requested (, Unknown error))
Firefox is careful to use spnego when it's attempting negotiate auth,
and other clients which aren't as careful (and which end up sending
Kerberos tokens) work as expected.
It looks like gss_krb5_copy_ccache() calls gssspi_set_cred_option()
with the spnego credential handle, and gssspi_set_cred_option() returns
GSS_S_BAD_MECH because the spnego mech doesn't provide a function
for it to use.
credentials to a server which attempts to store delegated creds to
a Kerberos ccache, and attempt to authenticate to the service.
the mechanism for the first credential that we have whose mechanism
implements a set_cred_option() method. I'm not sure this is the
correct fix. If this is the right fix, we may also need to change
gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE
back from the mechanism-specific function, but then in cases where
there are multiple credentials, the mechanism of the first one might
not be the right one to use anyway.
Index: src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23461)
+++ src/lib/gssapi/spnego/gssapiP_spnego.h (working copy)
@@ -352,6 +352,15 @@
);
OM_uint32
+spnego_gss_set_cred_option
+(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value
+);
+
+OM_uint32
spnego_gss_set_sec_context_option
(
OM_uint32 *minor_status,
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 23461)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -250,7 +250,7 @@
spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
spnego_gss_inquire_cred_by_oid, /* gss_inquire_cred_by_oid */
spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
- NULL, /* gssspi_set_cred_option */
+ spnego_gss_set_cred_option, /* gssspi_set_cred_option */
NULL, /* gssspi_mech_invoke */
spnego_gss_wrap_aead,
spnego_gss_unwrap_aead,
@@ -2186,6 +2186,21 @@
}
OM_uint32
+spnego_gss_set_cred_option(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ OM_uint32 ret;
+ ret = gssspi_set_cred_option(minor_status,
+ cred_handle,
+ desired_object,
+ value);
+ return (ret);
+}
+
+OM_uint32
spnego_gss_set_sec_context_option(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 0C43ECCA06;
Fri, 11 Dec 2009 04:20:52 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBB4KpSA020970;
Thu, 10 Dec 2009 23:20:51 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id nBAKqKYn024748
for <krb5-bugs-incoming@PCH.mit.edu>; Thu, 10 Dec 2009 15:52:20 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
nBAKiZRX004448
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:33 -0500 (EST)
X-AuditID: 12074424-b7cfcae0000068a6-4f-4b215f636431
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by (Symantec Brightmail Gateway) with SMTP id DA.E1.26790.36F512B4;
Thu, 10 Dec 2009 15:51:47 -0500 (EST)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBAKpkhH028603
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id nBAKpjSp021132
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:51:46 -0500
Received: from blade.bos.redhat.com (localhost [127.0.0.1])
by blade.bos.redhat.com (8.14.3/8.14.3) with ESMTP id nBAKqBNj010077
for <krb5-bugs@mit.edu>; Thu, 10 Dec 2009 15:52:11 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id nBAKqBOt010076;
Thu, 10 Dec 2009 15:52:11 -0500
Date: Thu, 10 Dec 2009 15:52:11 -0500
Message-Id: <200912102052.nBAKqBOt010076@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: gss_krb5_copy_ccache() doesn't work with spnego delegation
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAxIFCWQSBQvfEgUL4A==
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Thu, 10 Dec 2009 23:20:45 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator:
>Organization: Red Hat
>Confidential: no
>Synopsis: gss_krb5_copy_ccache() doesn't work with spnego delegation
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.7
>Environment:
>Originator:
>Organization: Red Hat
>Confidential: no
>Synopsis: gss_krb5_copy_ccache() doesn't work with spnego delegation
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.7
>Environment:
System: Linux blade.bos.redhat.com 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
We're seeing problems in mod_auth_kerb with firefox as its client, whenfirefox is configured to delegate credentials and mod_auth_kerb is
configured to save them to disk. In these cases, mod_auth_kerb is
logging this error:
Cannot store delegated credential (gss_krb5_copy_ccache: An unsupported mechanism was requested (, Unknown error))
Firefox is careful to use spnego when it's attempting negotiate auth,
and other clients which aren't as careful (and which end up sending
Kerberos tokens) work as expected.
It looks like gss_krb5_copy_ccache() calls gssspi_set_cred_option()
with the spnego credential handle, and gssspi_set_cred_option() returns
GSS_S_BAD_MECH because the spnego mech doesn't provide a function
for it to use.
Show quoted text
>How-To-Repeat:
Configure a client which uses spnego (such as firefox) to delegatecredentials to a server which attempts to store delegated creds to
a Kerberos ccache, and attempt to authenticate to the service.
Show quoted text
>Fix:
This is one possible patch. It punts a set_cred_option() call down tothe mechanism for the first credential that we have whose mechanism
implements a set_cred_option() method. I'm not sure this is the
correct fix. If this is the right fix, we may also need to change
gssspi_set_cred_option() to keep going if it gets GSS_S_UNAVAILABLE
back from the mechanism-specific function, but then in cases where
there are multiple credentials, the mechanism of the first one might
not be the right one to use anyway.
Index: src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23461)
+++ src/lib/gssapi/spnego/gssapiP_spnego.h (working copy)
@@ -352,6 +352,15 @@
);
OM_uint32
+spnego_gss_set_cred_option
+(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value
+);
+
+OM_uint32
spnego_gss_set_sec_context_option
(
OM_uint32 *minor_status,
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c (revision 23461)
+++ src/lib/gssapi/spnego/spnego_mech.c (working copy)
@@ -250,7 +250,7 @@
spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */
spnego_gss_inquire_cred_by_oid, /* gss_inquire_cred_by_oid */
spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */
- NULL, /* gssspi_set_cred_option */
+ spnego_gss_set_cred_option, /* gssspi_set_cred_option */
NULL, /* gssspi_mech_invoke */
spnego_gss_wrap_aead,
spnego_gss_unwrap_aead,
@@ -2186,6 +2186,21 @@
}
OM_uint32
+spnego_gss_set_cred_option(
+ OM_uint32 *minor_status,
+ gss_cred_id_t cred_handle,
+ const gss_OID desired_object,
+ const gss_buffer_t value)
+{
+ OM_uint32 ret;
+ ret = gssspi_set_cred_option(minor_status,
+ cred_handle,
+ desired_object,
+ value);
+ return (ret);
+}
+
+OM_uint32
spnego_gss_set_sec_context_option(
OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,