implement kerberos auth for server (and proxy) including constrained delegation #381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…side krb5 and strip ports of server, sniff auth type if undefined
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…ecode ntlm challenge and add target-spn to ntlm auth
…context on krb auth errors in server
Add smb2_get_session_id / smb2_get_workstation helpers
|
Thanks. fb71126 proper type for cred handle since they belong together. Please rebase ontop of master and remove these three commits from your push request. |
| return -1; | ||
| /* ignore this error for now, it might be OK | ||
| * to not pass the pending reply along */ | ||
| /*return -1;*/ |
Check notice
Code scanning / CodeQL
Commented-out code Note
|
It took me a while to merge/sync. I had t make a few merge fix commits
…On Sat, Dec 21, 2024 at 12:58 AM Ronnie Sahlberg ***@***.***> wrote:
Thanks.
I have merged these three commits into a single one and added to master :
fb71126
<fb71126>
proper type for cred handle
2e416aa
<2e416aa>
add krb5 cred handle passing api
c0e8924
<c0e8924>
add krb5 cred handle passing and release mechanism for proxying
since they belong together. Please rebase ontop of master and remove these
three commits from your push request.
—
Reply to this email directly, view it on GitHub
<#381 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAARWEAAI5VG2FEGWE6NPP32GT7QFAVCNFSM6AAAAABTLQ5AD2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJYGAYTGMJSG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Also, there are a few more fixes added. I now properly pass-through
STATUS_PENDING messages, and fixed a compile error in an example
…On Sat, Dec 21, 2024 at 12:58 AM Ronnie Sahlberg ***@***.***> wrote:
Thanks.
I have merged these three commits into a single one and added to master :
fb71126
<fb71126>
proper type for cred handle
2e416aa
<2e416aa>
add krb5 cred handle passing api
c0e8924
<c0e8924>
add krb5 cred handle passing and release mechanism for proxying
since they belong together. Please rebase ontop of master and remove these
three commits from your push request.
—
Reply to this email directly, view it on GitHub
<#381 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAARWEAAI5VG2FEGWE6NPP32GT7QFAVCNFSM6AAAAABTLQ5AD2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJYGAYTGMJSG4>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This provides for krb5 authentication to libsmb2 server and can co-exist with local ntlmssp auth in the case krb5 ntlmssp isnt installed. TODO - detect if krb5 can handle ntlmssp and offload to krb5 in that case. Need to figure a way to ask krb5 lib if it can do that.
Also provides for constrained delegation in proxy use-case where the original client credentials can be used to get a proxy credential to use for proxy client to actual server.
Adds a "suppress_errors" flag to ntlmssp message type sniffing to allow for auto-detect of auth method during negotiation by using the get-message-type function to determine if a valid ntmssp message is in a blob