GSS-SPNEGO Re: Cyrus-sasl Digest, Vol 136, Issue 10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 02/22/2017 09:00 AM, cyrus-sasl-request@xxxxxxxxxxxxxxxxxxxx wrote:
Send Cyrus-sasl mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Cyrus-sasl digest..."

Today's Topics:

    1. Re: Is anyone using GSS-SPNEGO in cyrus-sasl? (Ken Murchison)
We are shipping it enable-able in that libsasl2 will find it in .h files, but I doubt if anyone is using it. We expect customers may want it. My notes say we can't get testsuite to work with that enabled.

When fixing it for Windows, can hooks be put in to allow for future configure changes to set up different behavior on Linux or Solaris? Or programmed in a modular way?


Message: 1
Date: Tue, 21 Feb 2017 13:30:44 -0500
From: Ken Murchison <murch@xxxxxxxxxxxxxx>
To: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx
Subject: Re: Is anyone using GSS-SPNEGO in cyrus-sasl?
Message-ID: <e2d450a2-f7cb-8671-57d7-5d0b5e5cdd3a@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8; format=flowed

At first glance, this patch looks sane.  I will commit it shortly.

On 02/21/2017 10:34 AM, Jakub Jelen wrote:
On 02/21/2017 03:52 PM, Simo Sorce wrote:
Hello all,

On Tue, 2017-02-21 at 15:36 +0100, Jakub Jelen wrote:
Hello all,
we are working in support for GSS-SPNEGO, but there is a problem that
current implementation (RFC) is not compatible with the only other
implementation we know about on Windows.
I just want to clarify that the RFC in question is RFC 4559 (at least
according to the commit messages in git that introduced the GSS-SPNEGO
mechanism in 2011). This RFC does not document how to implement
GSS-SPNEGO, but only how to use the GSSAPI SPNEGO mechanism for HTTP

The GSS-SPNEGO implementation in cyrus-sasl has been always incorrect,
and worked for HTTP auth solely because all SSF layer negotiation is not
performed at all in that case as HTTP is handled via a special flag.

Cyrus-sasl's GSS-SPNEGO implementation is self consistent, but it has
never worked (either client or server) against the reference
implementation (Microsoft Windows OSs).

Is there anyone using the GSS-SPNEGO against something else than

We would like to modify this behavior to work with Windows and we would
like to estimate what can be broken by the modification of this
and what are the possibilities to support backward compatibility. I
would be glad for any input.
The patch here:

fixes the behavior of GSS-SPNEGO to work against Windows Servers and to
let Windows clients work against cyrus-sasl servers.

This has been tested with ldap client tools against an AD server using
Kerberos credentials, and using ldp.exe on an Active Directory client
against a 389ds LDAP server.

This patchset breaks compatibility with the older GSS-SPNEGO
implementation but does not change the behavior for the GSSAPI one.
It also does not break HTTP auth behavior as that case still shortcuts
SSF negotiation which is the only thing changed by this patch.

If this patch is ok I will open a PR or send it to the mailing list if
that's preferred.


NOTE: I am not subscribed to the ML, please keep me in CC.
Re-sending more comments from Simo, since his answer was rejected from
the ML.


Jan Parcel, Developer Oracle Systems, SPARC & Solaris System Software Engineering

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux