Is anyone using GSS-SPNEGO in cyrus-sasl?

Ken Murchison murch at andrew.cmu.edu
Tue Feb 21 13:30:44 EST 2017 

At first glance, this patch looks sane.  I will commit it shortly.


On 02/21/2017 10:34 AM, Jakub Jelen wrote:
> On 02/21/2017 03:52 PM, Simo Sorce wrote:
>> Hello all,
>>
>> On Tue, 2017-02-21 at 15:36 +0100, Jakub Jelen wrote:
>>> Hello all,
>>> we are working in support for GSS-SPNEGO, but there is a problem that
>>> current implementation (RFC) is not compatible with the only other
>>> implementation we know about on Windows.
>>
>> I just want to clarify that the RFC in question is RFC 4559 (at least
>> according to the commit messages in git that introduced the GSS-SPNEGO
>> mechanism in 2011). This RFC does not document how to implement
>> GSS-SPNEGO, but only how to use the GSSAPI SPNEGO mechanism for HTTP
>> auth.
>>
>> The GSS-SPNEGO implementation in cyrus-sasl has been always incorrect,
>> and worked for HTTP auth solely because all SSF layer negotiation is not
>> performed at all in that case as HTTP is handled via a special flag.
>>
>> Cyrus-sasl's GSS-SPNEGO implementation is self consistent, but it has
>> never worked (either client or server) against the reference
>> implementation (Microsoft Windows OSs).
>>
>>> Is there anyone using the GSS-SPNEGO against something else than 
>>> Windows?
>>>
>>> We would like to modify this behavior to work with Windows and we would
>>> like to estimate what can be broken by the modification of this 
>>> behavior
>>> and what are the possibilities to support backward compatibility. I
>>> would be glad for any input.
>>
>> The patch here:
>> https://github.com/simo5/cyrus-sasl/commit/72b01964a240da457783f0651bef0ff9f146eb3b 
>>
>> fixes the behavior of GSS-SPNEGO to work against Windows Servers and to
>> let Windows clients work against cyrus-sasl servers.
>>
>> This has been tested with ldap client tools against an AD server using
>> Kerberos credentials, and using ldp.exe on an Active Directory client
>> against a 389ds LDAP server.
>>
>> This patchset breaks compatibility with the older GSS-SPNEGO
>> implementation but does not change the behavior for the GSSAPI one.
>> It also does not break HTTP auth behavior as that case still shortcuts
>> SSF negotiation which is the only thing changed by this patch.
>>
>> If this patch is ok I will open a PR or send it to the mailing list if
>> that's preferred.
>>
>> Simo.
>>
>> NOTE: I am not subscribed to the ML, please keep me in CC.
>
> Re-sending more comments from Simo, since his answer was rejected from 
> the ML.
>
> Jakub

-- 
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University

More information about the Cyrus-sasl mailing list