-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using gss-ntlmssp from Java #94
Comments
sounds to me the Java wrapper is doing something wrong. For example it is very od to see gssntlm_acquire_cred_from(0 called twice, are you sure your code is performing a continuation and not trying to start a new ISC operation ? Not knowing how the Java bindings works, I can't tell. Decoding the base64 you posted shows a valid NTLMSSP challenge token. As for access to windbind, asking it to decode tokens is indeed a privileged operation. You do not have to be root, but your user need to be given permission to access the privileged winbind pipe. |
Thanks, good to know the base64 encoded challenge is valid. It seems, the Java GSS wrapper isn't the problem. I wrote a small test program in C/C++ based on the example in RFC 7546, and get exactly the same error (in src/gss_sec_ctx.c:277). I must be doing something fundamentally wrong, perhaps linking with the wrong libraries. The duplicate gssntlm_acquire_cred_from is caused, because I pass GSS_C_NO_CREDENTIAL into the gss_init_sec_context; if I pass a credential in, I get it only once but the error in gss_sec_ctx.c:277 persists. I attached the source of my small test, maybe (if you have a moment of time), you at a first glance see what I am doing wrong or missing. I was developing and testing on Fedora 38. Ps: Just saw a bug in my code, it should be "memcpy((char *)(tokenResult->value), token.data(), token.size());" instead of "strcpy(...",
Now I get an error in line src/gss_sec_ctx.c:293 instead of src/gss_sec_ctx.c:277, like in Java. |
The NTLMSSP protol is a multistep challenge response protocol. It mean you need to preserve the security context between calls to gss_init_sec_context and you need to provide input credentials. The credentials either store internally the password used to authenticate the user, or provide the linkage to talk to winbindd. Without credentials you can't complete authentication. That said, looking again at the error log your code seem to be failing in ntlm_decode_chal_msg(), if you could GDB the binary reproducer and step through that function and tell me how it fails, I can probably give you more hints on what is wrong. |
I have a problem, maybe you can help me.
I am using the gss-ntlmssp GSS plugin from Java on Linux by setting the system property "-Dsun.security.jgss.native=true".
I am testing HTTP proxy authorization with Negotiate (Kerberos), NTLM and Basic. I have set up a test system with multiple docker containers, one with a Samba DC, one with a Squid proxy and one development container with which I test the authorization.
The test setup seems to be ok, I can succesfully do:
Though I must admit challenge/response authorization with wbinfo is only successful if I run it as root, not as CORP\user1 (maybe that's the problem?):
In my Java program I create a GSS context with the NTLMSSP Oid and create a token with:
This is successful, and I can create a token which I send Base64 encoded to Squid:
The Proxy-authenticate line I send to Squid looks like this:
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAN4II4gAAAAAAAAAAAAAAAAAAAAAGAgAAAAAADw==
Then I get back the following token from Squid:
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAA1goniYTUVUwP3TmIAAAAAAAAAAJYAlgBAAAAABgEAAAAAAA9DAE8AUgBQAAIACABDAE8AUgBQAAEAFgBTAFEAVQBJAEQAUwBFAFIAVgBFAFIABAAgAGMAbwByAHAALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0AAwA4AHMAcQB1AGkAZABzAGUAcgB2AGUAcgAuAGMAbwByAHAALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0ABwAIAHAs/DxdjdkBAAAAAA==
But if I Base64 decode this token and feed it into the GSSContext I get an exception:
Exception:
The gss-ntlmssp Log looks like this:
Any idea what I am doing wrong ? Isn't base64 decoding the token I get and feeding it into gss-ntlmssp enough, do I have to do something else ? Btw., if I use the Kerberos Oid, and do a Proxy-Authenticate: Negotiate instead of NTLM, my test program works, so I think principally the Java GSSAPI is working.
The text was updated successfully, but these errors were encountered: