[Bug 204899] security/py-kerberos: authGSSClientStep raises GSSError UNKNOWN_SERVER

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jan 15 15:18:15 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204899

--- Comment #18 from John W. O'Brien <john at saltant.com> ---
The problem lies in how the principal name type in the main call to
gss_import_name is patched from MIT to Heimdal.

py-kerberos uses [0] gss_krb5_nt_service_name, which krb5 defines as [1]
gss_nt_service_name. That symbol is, in turn, set to [2] the OID defined as [3]
1.2.840.113554.1.2.1.4, a.k.a. GSS_C_NT_HOSTBASED_SERVICE. This is consistent
with  the API docs for authGSSClientInit [4] and the standard for that name
type [5]: "service at hostname". Under the hood, both heimdal and krb5 parse names
of that type by splitting on '@' and producing a krb5 principal with two
components, the left and right sides.

The adaptation [6] from krb5 to heimdal erroneously pivoted on the "krb5" part
of the name instead of the "service" part of the name, and ends up using
GSS_KRB5_NT_PRINCIPAL_NAME [7] as a result, which expects a principal of a
different form. That name type treats '@' as the separator between multiple
'/'-separated components and the realm ("service/hostname at REALM"), not as the
separator of two principal components. This explains why, as revealed in the
KDC logs for the failing test cases, the client tries to traverse a cross realm
trust (krbtgt/hostX.example.com at EXAMPLE.COM) as if the intended hostname were a
foreign realm.

I have prepared a patch that I will test and post shortly.

[0]
https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/src/kerberosgss.c#L153
[1]
https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/krb5/gssapi_krb5.h#L101
[2]
https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/generic/gssapi_generic.c#L182
[3]
https://github.com/krb5/krb5/blob/krb5-1.15.2-final/src/lib/gssapi/generic/gssapi_generic.c#L93
[4]
https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/pysrc/kerberos.py#L150
[5] https://tools.ietf.org/html/rfc2743#page-85 Section 4.1
[6]
https://svnweb.freebsd.org/ports/head/security/py-kerberos/files/extra-patch-src_kerberosgss.h?view=markup&pathrev=401816
[7] https://tools.ietf.org/html/rfc1964#page-13 Section 2.1.1

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-python mailing list