[krbdev.mit.edu #5807] can't store delegated krb5 creds when using spnego

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Oct 4 18:17:11 EDT 2007 

>From krb5-bugs-incoming-bounces at PCH.MIT.EDU  Thu Oct  4 18:17:06 2007
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
	id l94MH6HW011948; Thu, 4 Oct 2007 18:17:06 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l94MH09V008144;
	Thu, 4 Oct 2007 18:17:00 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l94M5rb9004995
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 4 Oct 2007 18:05:54 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l94M5jxP022431
	for <krb5-bugs at mit.edu>; Thu, 4 Oct 2007 18:05:46 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
	by mit.edu (Spam Firewall) with ESMTP id AAEBA84B132
	for <krb5-bugs at mit.edu>; Thu,  4 Oct 2007 18:05:44 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.13.8/8.13.1) with ESMTP id l94M5iZZ024227
	for <krb5-bugs at mit.edu>; Thu, 4 Oct 2007 18:05:44 -0400
Received: from blade.boston.redhat.com (blade.boston.redhat.com [172.16.80.50])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l94M5hvv022915
	for <krb5-bugs at mit.edu>; Thu, 4 Oct 2007 18:05:43 -0400
Received: from blade.boston.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.boston.redhat.com (8.14.1/8.14.1) with ESMTP id l94M5hbI027504
	for <krb5-bugs at mit.edu>; Thu, 4 Oct 2007 18:05:43 -0400
Received: (from nalin at localhost)
	by blade.boston.redhat.com (8.14.1/8.14.1/Submit) id l94M5has027503;
	Thu, 4 Oct 2007 18:05:43 -0400
Date: Thu, 4 Oct 2007 18:05:43 -0400
Message-Id: <200710042205.l94M5has027503 at blade.boston.redhat.com>
To: krb5-bugs at mit.edu
Subject: can't find delegated krb5 creds when using spnego
From: Nalin Dahyabhai <nalin at redhat.com>
X-send-pr-version: 3.99
X-Spam-Score: 3.001
X-Spam-Level: *** (3.001)
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Thu, 04 Oct 2007 18:16:59 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: Nalin Dahyabhai <nalin at redhat.com>
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU


>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	can't store delegated krb5 creds when using spnego
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.6.2
>Environment:
	
System: Linux blade.boston.redhat.com 2.6.23-0.211.rc8.git2.fc8 #1 SMP Thu Sep 27 18:21:00 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	When using SPNEGO, a client can delegate Kerberos credentials,
	but gss_krb5_copy_cache() can't find them because the delegated
	credential handle contains the SPNEGO mechanism OID.  In this
	case, the credential value is itself a union credential wrapping
	the delegated Kerberos credentials.

>How-To-Repeat:
	Use Firefox's negotiate auth client with libgssapi_krb5 to
	authenticate to Apache httpd with mod_auth_kerb.  The server
	log on my test system shows:
	[Thu Oct 04 14:54:15 2007] [error] [client 172.16.80.50] Cannot store delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No error)), referer: https://axe.boston.redhat.com/private/

>Fix:
	This could be worked around by just passing up the delegated
	credential handle in gss_accept_sec_context() when the
	mechanism is SPNEGO, but teaching gss_krb5_copy_ccache() to
	walk the credentials tree looked like a slightly simpler way
	to go.

Index: src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- src/lib/gssapi/mechglue/g_glue.c	(revision 20093)
+++ src/lib/gssapi/mechglue/g_glue.c	(working copy)
@@ -33,6 +33,8 @@
 #define	MSO_BIT (8*(sizeof (int) - 1))  /* Most significant octet bit */
 
 extern gss_mechanism *gssint_mechs_array;
+#define SPNEGO_OID_LENGTH 6
+#define SPNEGO_OID "\053\006\001\005\005\002"
 
 /*
  * This file contains the support routines for the glue layer.
@@ -548,6 +550,8 @@
     gss_OID		mech_type;
 {
     int		i;
+    gss_union_cred_t	spnego_cred;
+    gss_cred_id_t	mech_cred;
     
     if (union_cred == GSS_C_NO_CREDENTIAL)
 	return GSS_C_NO_CREDENTIAL;
@@ -555,6 +559,17 @@
     for (i=0; i < union_cred->count; i++) {
 	if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
 	    return union_cred->cred_array[i];
+
+	/* if this is an spnego credential, search its contents */
+	if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) &&
+	    (memcmp(union_cred->mechs_array[i].elements,
+		    SPNEGO_OID,
+		    SPNEGO_OID_LENGTH) == 0)) {
+	    spnego_cred = union_cred->cred_array[i];
+	    mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type);
+	    if (mech_cred != GSS_C_NO_CREDENTIAL)
+		return mech_cred;
+	}
     }
     return GSS_C_NO_CREDENTIAL;
 }

More information about the krb5-bugs mailing list