At first glance, this patch looks sane. I will commit it shortly.
On 02/21/2017 10:34 AM, Jakub Jelen wrote:
On 02/21/2017 03:52 PM, Simo Sorce wrote:
Hello all,
On Tue, 2017-02-21 at 15:36 +0100, Jakub Jelen wrote:
Hello all,
we are working in support for GSS-SPNEGO, but there is a problem that
current implementation (RFC) is not compatible with the only other
implementation we know about on Windows.
I just want to clarify that the RFC in question is RFC 4559 (at least
according to the commit messages in git that introduced the GSS-SPNEGO
mechanism in 2011). This RFC does not document how to implement
GSS-SPNEGO, but only how to use the GSSAPI SPNEGO mechanism for HTTP
auth.
The GSS-SPNEGO implementation in cyrus-sasl has been always incorrect,
and worked for HTTP auth solely because all SSF layer negotiation is not
performed at all in that case as HTTP is handled via a special flag.
Cyrus-sasl's GSS-SPNEGO implementation is self consistent, but it has
never worked (either client or server) against the reference
implementation (Microsoft Windows OSs).
Is there anyone using the GSS-SPNEGO against something else than
Windows?
We would like to modify this behavior to work with Windows and we would
like to estimate what can be broken by the modification of this
behavior
and what are the possibilities to support backward compatibility. I
would be glad for any input.
The patch here:
https://github.com/simo5/cyrus-sasl/commit/72b01964a240da457783f0651bef0ff9f146eb3b
fixes the behavior of GSS-SPNEGO to work against Windows Servers and to
let Windows clients work against cyrus-sasl servers.
This has been tested with ldap client tools against an AD server using
Kerberos credentials, and using ldp.exe on an Active Directory client
against a 389ds LDAP server.
This patchset breaks compatibility with the older GSS-SPNEGO
implementation but does not change the behavior for the GSSAPI one.
It also does not break HTTP auth behavior as that case still shortcuts
SSF negotiation which is the only thing changed by this patch.
If this patch is ok I will open a PR or send it to the mailing list if
that's preferred.
Simo.
NOTE: I am not subscribed to the ML, please keep me in CC.
Re-sending more comments from Simo, since his answer was rejected from
the ML.
Jakub
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University