[Dovecot] [PATCH] Support GSS-SPNEGO natively
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) Modern versions of MIT kerberos support GSS-SPNEGO natively, but are only willing to negotiate for kerberos tickets and not NTLM messages. This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this. Having this work means the other gssapi policy knobs in dovecot, like auth_gssapi_hostname, work properly. Instead of 'whatever it is that samba does'. I guess it fixes the concerns about winbind accesses blocking (although don't the gssapi calls block??) In light of this it is really only useful to use winbind if you want to support NTLM as kerberos will do the necessary exchanges with the kdc for an Active Directory domain. In truth a proper and complete design would somehow layer the built in NTLM module under the SPNEGO negotiation and only pass NTLM messages off to samba but I doubt anyone cares with NTLM being rather obsolete. --- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.000000000 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11 23:52:15.000000000 -0600 @@ -417,4 +424,21 @@ mech_gssapi_auth_free }; +/* MTI Kerberos > 1.5 supports SPNEGO for Kerberos tickets internally. + Nothing else needs to be done here. Note however that this does not + support SPNEGO when the only available credential is NTLM.. */ +const struct mech_module mech_gssapi_spnego = { + "GSS-SPNEGO", + + MEMBER(flags) 0, + + MEMBER(passdb_need_plain) FALSE, + MEMBER(passdb_need_credentials) FALSE, + + mech_gssapi_auth_new, + mech_gssapi_auth_initial, + mech_gssapi_auth_continue, + mech_gssapi_auth_free +}; + #endif --- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.000000000 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.000000000 -0600 @@ -72,6 +72,7 @@ extern struct mech_module mech_anonymous; #ifdef HAVE_GSSAPI extern struct mech_module mech_gssapi; +extern struct mech_module mech_gssapi_spnego; #endif void mech_init(void) @@ -86,6 +87,7 @@ mech_register_module(&mech_anonymous); #ifdef HAVE_GSSAPI mech_register_module(&mech_gssapi); + mech_register_module(&mech_gssapi_spnego); #endif } @@ -101,5 +103,6 @@ mech_unregister_module(&mech_anonymous); #ifdef HAVE_GSSAPI mech_unregister_module(&mech_gssapi); + mech_unregister_module(&mech_gssapi_spnego); #endif }
Jason Gunthorpe wrote:
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :)
thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test)
-- Angel Marin http://anmar.eu.org/
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
Jason Gunthorpe wrote:
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :)
thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test)
Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO..
For instance in mailnews/imap/src/nsImapServerResponseParser.cpp
Where it parses the CAPABILITY reply it only looks for AUTH=GSSAPI
Then when it goes to do the auth DoGSSAPIStep1 creates a sasl-gssapi which creates either a kerb-gss or a kerb-sspi and both of those set PACKAGE_KERBEROS to disable SPNEGO.
I've been assuming AUTH=GSS-SPNEGO is only used by outlook?
Jason
Jason Gunthorpe wrote:
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
Jason Gunthorpe wrote:
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test)
Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO..
ok now rereading it again, I didn't make it clear what part of your message I was referring to :)
I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options.
-- Angel Marin http://anmar.eu.org/
On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote:
Jason Gunthorpe wrote:
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
Jason Gunthorpe wrote:
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test)
Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO..
ok now rereading it again, I didn't make it clear what part of your message I was referring to :)
I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options.
Oh right, in the end it did work. It turned out thunderbird was trying to use a different SPN than the linux environment. Since that SPN was not configured in AD thunderbird just bailed with an unhelpfull message :(
FWIW, near as I can tell, thunderbird seems to use an SPN derived from the SSL cetrficate on Windows while on Linux it uses an SPN derived from the reverse lookup of the server's IP.
In the end configuring the alternative SPN and using the multihoming patch I sent out made it all work.
Now only outlook does not do single sign on.. Has anyone got outlook and dovecot to do SSO? Does the NTLM winbind patch make that work?
Thanks, Jason
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this.
Any thoughts on how exactly to detect that it's MIT kerberos (not
Heimdal) and the version is new enough?
(although don't the gssapi calls block??)
Yes, but it was cleverly hidden so I hadn't thought about it before ;)
So yes, I suppose some day GSSAPI calls should be done in auth worker
processes.
On Tue, Aug 12, 2008 at 01:11:47PM -0400, Timo Sirainen wrote:
On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this.
Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) and the version is new enough?
It has been ages since I touched autoconf, but this is the test that libapace-mod-auth-kerb uses:
If SPNEGO is supported by the gssapi libraries, we shouln't build our support.
SPNEGO is supported as of Heimdal 0.7, and MIT 1.5.
gssapi_supports_spnego=""
AC_MSG_CHECKING(whether the GSSAPI libraries support SPNEGO)
ac_save_CFLAGS="$CFLAGS"
CFLAGS="$KRB5_CPPFLAGS"
ac_save_LDFLAGS="$LDFLAGS"
LDFLAGS=$KRB5_LDFLAGS
AC_TRY_RUN([#include <string.h> #include <krb5.h> #ifdef HEIMDAL #include <gssapi.h> #else #include <gssapi/gssapi.h> #endif int main(int argc, char** argv) { OM_uint32 major_status, minor_status; gss_OID_set mech_set; gss_OID_desc spnego_oid_desc = {6, (void *)"\x2b\x06\x01\x05\x05\x02"}; int SPNEGO = 0; major_status = gss_indicate_mechs(&minor_status, &mech_set); if (GSS_ERROR(major_status)) return 1; else { unsigned int i; for (i=0; i < mech_set->count && !SPNEGO; i++) { gss_OID tmp_oid = &mech_set->elements[i]; if (tmp_oid->length == spnego_oid_desc.length && !memcmp(tmp_oid->elements, spnego_oid_desc.elements, tmp_oid->length)) { SPNEGO = 1; break; } } gss_release_oid_set(&minor_status, &mech_set); return (!SPNEGO); } }], [ if test $? -eq 0; then AC_MSG_RESULT(yes) AC_DEFINE(GSSAPI_SUPPORTS_SPNEGO) gssapi_supports_spnego=yes else AC_MSG_RESULT(no) fi], [AC_MSG_RESULT(no)])
Jason
Committed the patch to v1.2 tree with some changes: http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6
On Wed, Aug 13, 2008 at 04:23:46PM -0400, Timo Sirainen wrote:
Committed the patch to v1.2 tree with some changes: http://hg.dovecot.org/dovecot-1.2/rev/641d761219a6
What happens when the winbind_spnego and the gssapi_spnego are registered at once? I did not address this because I did not have winbind in my tree at the time.. I imagine that the same 'if' that surrounds the internal ntlm module is needed here..
Ideally though it would be nice if the config file could specify a mapping from SASL name to internal module and NTLM_USE_WINBIND could go away.
BTW, I have yet to find anything that uses this SASL mode.. MS did not implement it in even the latest version of outlook, despite authoring the standard. :( Thunderbird has all the machinery to support it through SSPI, but it never parses the SASL name to use the negotiate-sspi module, so it doesn't use it either.. Plus, nobody outside of Windows sspi clients cares about NTLM.
Thanks, Jason
On Aug 13, 2008, at 4:35 PM, Jason Gunthorpe wrote:
Ideally though it would be nice if the config file could specify a mapping from SASL name to internal module and NTLM_USE_WINBIND could go away.
Well, I renamed auth_ntlm_use_winbind to just auth_use_winbind: http://hg.dovecot.org/dovecot-1.2/rev/1f948670f274
participants (3)
-
Angel Marin
-
Jason Gunthorpe
-
Timo Sirainen