[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

To: mba2000@ioplex.com
Subject: Re: [patch] miscellaneous mechglue stuff
From: Luke Howard <lukeh@PADL.COM>
Date: Mon, 1 May 2006 11:41:51 +1000
Cc: abartlet@samba.org, heimdal-discuss@sics.se
Organization: PADL Software Pty Ltd
References: <20060427183214.622555ce.mba2000@ioplex.com> <1146373560.6574.20.camel@localhost.localdomain> <20060430020334.7d36597a.mba2000@ioplex.com> <200604300636.k3U6ashi018116@au.padl.com> <20060430112905.09420489.mba2000@ioplex.com> <200604301547.k3UFlGes038355@au.padl.com> <20060430154727.0c26ee39.mba2000@ioplex.com> <200604302359.k3UNxhhF054385@au.padl.com> <20060430212443.75d3786c.mba2000@ioplex.com>
Reply-To: lukeh@PADL.COM
Sender: owner-heimdal-discuss@sics.se
Versions: dmail (bsd44) 2.6d/makemail 2.10


Hi Mike,

>2. The server then calls
>   gss_init_sec_context(GSS_SPNEGO_NO_OPTIMISTIC_FLAG_X) to generate the
>   list of available mechs and sends the NegTokenInit (w/o a mech token)
>   to the client in the NEGOTIATE Response.

I can understand the confusion, but it's not how the code is designed
to work. For the purpose of this discussion, the server is ALWAYS the
acceptor.

The server must call gss_accept_sec_context() with the token received
by the client, which may or may not be an empty token. In the case of
an empty token it will respond with a NegTokenInit.

Don't forget a server may need to support both behaviours. This is the
case with LDAP in Active Directory (as it is with XAD). For example,
SAMBA uses acceptor-first in GSS-SPNEGO LDAP binds, whereas Microsoft
LDAP clients use initiator-first. Of course, the server could choose
whether to call gss_init_sec_context() or gss_accept_sec_context()
depending on whether the client sent an empty token or not (which is
what your proposal would require), but to me this is completely non-
intuitive. The logic to deal with this should be inside GSS-API, not
the application.

>3. The client calls gss_accept_sec_context with the above token
>   and provided it doesn't return GSS_S_BAD_MECH the application then
>   throws away the half-baked gss_ctx_id_t (note: the output token from
>   gss_accept_sec_context should be empty here).

The client is not the acceptor, that doesn't make any sense at all. Nor
does it make sense to throw away GSS contexts: it is one authentication
session after all.

>Your point about this MS behavior being non-standard anyway is well
>received. But I just think having gss_accept_sec_context generate
>a NegTokenInit is very awkward. Gss_init_sec_context only takes
>an empty token or a NegTokenTarg as input and it only outputs a
>NegTokenInit. Gss_accept_sec_context only takes a NegTokenInit as input
>and it only outputs a NegTokenTarg (or an empty token in the special
>case where there's no optimistic mech token in the input token).

Your assertions regarding NegToken{Targ,Init} are true for standard
SPNEGO but not MS acceptor-sends-first SPNEGO.

cheers,

-- Luke

--

References:
- Re: [patch] miscellaneous mechglue stuff
  - From: Luke Howard <lukeh@PADL.COM>
- Re: [patch] miscellaneous mechglue stuff
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: [patch] miscellaneous mechglue stuff
Next by Date: Re: [patch] miscellaneous mechglue stuff
Prev by thread: Re: [patch] miscellaneous mechglue stuff
Next by thread: Re: [patch] miscellaneous mechglue stuff
Index(es):
- Date
- Thread