Is anyone using GSS-SPNEGO in cyrus-sasl?
Jakub Jelen
jjelen at redhat.com
Tue Feb 21 10:34:31 EST 2017
On 02/21/2017 03:52 PM, Simo Sorce wrote:
> Hello all,
>
> On Tue, 2017-02-21 at 15:36 +0100, Jakub Jelen wrote:
>> Hello all,
>> we are working in support for GSS-SPNEGO, but there is a problem that
>> current implementation (RFC) is not compatible with the only other
>> implementation we know about on Windows.
>
> I just want to clarify that the RFC in question is RFC 4559 (at least
> according to the commit messages in git that introduced the GSS-SPNEGO
> mechanism in 2011). This RFC does not document how to implement
> GSS-SPNEGO, but only how to use the GSSAPI SPNEGO mechanism for HTTP
> auth.
>
> The GSS-SPNEGO implementation in cyrus-sasl has been always incorrect,
> and worked for HTTP auth solely because all SSF layer negotiation is not
> performed at all in that case as HTTP is handled via a special flag.
>
> Cyrus-sasl's GSS-SPNEGO implementation is self consistent, but it has
> never worked (either client or server) against the reference
> implementation (Microsoft Windows OSs).
>
>> Is there anyone using the GSS-SPNEGO against something else than Windows?
>>
>> We would like to modify this behavior to work with Windows and we would
>> like to estimate what can be broken by the modification of this behavior
>> and what are the possibilities to support backward compatibility. I
>> would be glad for any input.
>
> The patch here:
> https://github.com/simo5/cyrus-sasl/commit/72b01964a240da457783f0651bef0ff9f146eb3b
> fixes the behavior of GSS-SPNEGO to work against Windows Servers and to
> let Windows clients work against cyrus-sasl servers.
>
> This has been tested with ldap client tools against an AD server using
> Kerberos credentials, and using ldp.exe on an Active Directory client
> against a 389ds LDAP server.
>
> This patchset breaks compatibility with the older GSS-SPNEGO
> implementation but does not change the behavior for the GSSAPI one.
> It also does not break HTTP auth behavior as that case still shortcuts
> SSF negotiation which is the only thing changed by this patch.
>
> If this patch is ok I will open a PR or send it to the mailing list if
> that's preferred.
>
> Simo.
>
> NOTE: I am not subscribed to the ML, please keep me in CC.
Re-sending more comments from Simo, since his answer was rejected from
the ML.
Jakub
More information about the Cyrus-sasl
mailing list