I cooked this up while trying to figure out why thunderbird on Windows
w/ SSPI was not working, but it turned out thunderbird does not use
it, so I haven't been able to test it yet. I'm presenting it for
discussion only, unless someone else can try it :)
Modern versions of MIT kerberos support GSS-SPNEGO natively, but are
only willing to negotiate for kerberos tickets and not NTLM
messages.
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.
Having this work means the other gssapi policy knobs in dovecot, like
auth_gssapi_hostname, work properly. Instead of 'whatever it is that
samba does'. I guess it fixes the concerns about winbind
accesses blocking (although don't the gssapi calls block??)
In light of this it is really only useful to use winbind if you want
to support NTLM as kerberos will do the necessary exchanges with the
kdc for an Active Directory domain. In truth a proper and complete
design would somehow layer the built in NTLM module under the SPNEGO
negotiation and only pass NTLM messages off to samba but I doubt
anyone cares with NTLM being rather obsolete.
--- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.000000000 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11
23:52:15.000000000 -0600
@@ -417,4 +424,21 @@
mech_gssapi_auth_free
};
+/* MTI Kerberos > 1.5 supports SPNEGO for Kerberos tickets internally.
+ Nothing else needs to be done here. Note however that this does not
+ support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+ "GSS-SPNEGO",
+
+ MEMBER(flags) 0,
+
+ MEMBER(passdb_need_plain) FALSE,
+ MEMBER(passdb_need_credentials) FALSE,
+
+ mech_gssapi_auth_new,
+ mech_gssapi_auth_initial,
+ mech_gssapi_auth_continue,
+ mech_gssapi_auth_free
+};
+
#endif
--- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.000000000 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.000000000 -0600
@@ -72,6 +72,7 @@
extern struct mech_module mech_anonymous;
#ifdef HAVE_GSSAPI
extern struct mech_module mech_gssapi;
+extern struct mech_module mech_gssapi_spnego;
#endif
void mech_init(void)
@@ -86,6 +87,7 @@
mech_register_module(&mech_anonymous);
#ifdef HAVE_GSSAPI
mech_register_module(&mech_gssapi);
+ mech_register_module(&mech_gssapi_spnego);
#endif
}
@@ -101,5 +103,6 @@
mech_unregister_module(&mech_anonymous);
#ifdef HAVE_GSSAPI
mech_unregister_module(&mech_gssapi);
+ mech_unregister_module(&mech_gssapi_spnego);
#endif
}
Jason Gunthorpe wrote:> I cooked this up while trying to figure out why thunderbird on Windows > w/ SSPI was not working, but it turned out thunderbird does not use > it, so I haven't been able to test it yet. I'm presenting it for > discussion only, unless someone else can try it :)thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test) -- Angel Marin http://anmar.eu.org/
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:> This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which > simply passes SPNEGO packets directly to gssapi if the library is new > enough. There is even a configure feature test for the gssapi library > in that packages configure script. Note that Debian etch's standard > kerb libaries (1.4) are not good enough for this.Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) and the version is new enough?> (although don't the gssapi calls block??)Yes, but it was cleverly hidden so I hadn't thought about it before ;) So yes, I suppose some day GSSAPI calls should be done in auth worker processes. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080812/1e60c115/attachment-0002.bin>
On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:> On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote: > >> This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which >> simply passes SPNEGO packets directly to gssapi if the library is new >> enough. There is even a configure feature test for the gssapi library >> in that packages configure script. Note that Debian etch's standard >> kerb libaries (1.4) are not good enough for this. > > Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) > and the version is new enough?It has been ages since I touched autoconf, but this is the test that libapace-mod-auth-kerb uses: # If SPNEGO is supported by the gssapi libraries, we shouln't build our support. # SPNEGO is supported as of Heimdal 0.7, and MIT 1.5. gssapi_supports_spnego="" AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO) ac_save_CFLAGS="$CFLAGS" CFLAGS="$KRB5_CPPFLAGS" ac_save_LDFLAGS="$LDFLAGS" LDFLAGS=$KRB5_LDFLAGS AC_TRY_RUN([ #include <string.h> #include <krb5.h> #ifdef HEIMDAL #include <gssapi.h> #else #include <gssapi/gssapi.h> #endif int main(int argc, char** argv) { OM_uint32 major_status, minor_status; gss_OID_set mech_set; gss_OID_desc spnego_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; int SPNEGO = 0; major_status = gss_indicate_mechs(&minor_status, &mech_set); if (GSS_ERROR(major_status)) return 1; else { unsigned int i; for (i=0; i < mech_set->count && !SPNEGO; i++) { gss_OID tmp_oid = &mech_set->elements[i]; if (tmp_oid->length == spnego_oid_desc.length && !memcmp(tmp_oid->elements, spnego_oid_desc.elements, tmp_oid->length)) { SPNEGO = 1; break; } } gss_release_oid_set(&minor_status, &mech_set); return (!SPNEGO); } }], [ if test $? -eq 0; then AC_MSG_RESULT(yes) AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO) gssapi_supports_spnego=yes else AC_MSG_RESULT(no) fi], [AC_MSG_RESULT(no)]) Jason
Committed the patch to v1.2 tree with some changes: http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20080813/dc4c7e83/attachment-0002.bin>
On Wed, Aug 13, 2008 at 04:23:46PM -0400, Timo Sirainen wrote:> Committed the patch to v1.2 tree with some changes: > http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6What happens when the winbind_spnego and the gssapi_spnego are registered at once? I did not address this because I did not have winbind in my tree at the time.. I imagine that the same 'if' that surrounds the internal ntlm module is needed here.. Ideally though it would be nice if the config file could specify a mapping from SASL name to internal module and NTLM_USE_WINBIND could go away. BTW, I have yet to find anything that uses this SASL mode.. MS did not implement it in even the latest version of outlook, despite authoring the standard. :( Thunderbird has all the machinery to support it through SSPI, but it never parses the SASL name to use the negotiate-sspi module, so it doesn't use it either.. Plus, nobody outside of Windows sspi clients cares about NTLM. Thanks, Jason