[Bug 1643708] Re: Add SPNEGO special case for NTLMSSP+MechListMIC

Timo Aaltonen tjaalton at ubuntu.com
Fri Dec 16 10:20:35 UTC 2016 

Hello Joshua, or anyone else affected,

Accepted krb5 into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/krb5/1.13.2+dfsg-
5ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Description changed:

+ [Impact]
  MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
  needs to implement specifically for the NTLMSSP mechanism.  This is
  required for compatibility with Windows services.
  
  Upstream commit:
  https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7
  
  We've run into this issue with Linux to Windows negotiation with
  encrypted http using GSSAPI.
+ 
+ [Test Case]
+ 
+ create a file with some credentials:
+ 
+ $ echo F23:guest:guest > ~/ntlmcreds.txt
+ $ export NTLM_USER_FILE=~/ntlmcreds.txt
+ $ python
+ import gssapi
+ 
+ spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2')
+ c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate')
+ tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service)
+ ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept')
+ 
+ seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate')
+ seca = gssapi.SecurityContext(creds=ac, usage='accept')
+ it = seci.step(token=None)
+ ot = seca.step(token=it)
+ it = seci.step(token=ot)
+ ot = seca.step(token=it)
+ it = seci.step(token=ot)
+ 
+ e = seci.wrap("Secrets", True)
+ o = seca.unwrap(e.message)
+ 
+ o.message
+ 'Secrets'

** Changed in: krb5 (Ubuntu Xenial)
       Status: Incomplete => Fix Committed

** Tags added: verification-needed

** Changed in: krb5 (Ubuntu Trusty)
       Status: Incomplete => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1643708

Title:
  Add SPNEGO special case for NTLMSSP+MechListMIC

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Trusty:
  Fix Committed
Status in krb5 source package in Xenial:
  Fix Committed
Status in krb5 source package in Yakkety:
  Fix Committed

Bug description:
  [Impact]
  MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
  needs to implement specifically for the NTLMSSP mechanism.  This is
  required for compatibility with Windows services.

  Upstream commit:
  https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7

  We've run into this issue with Linux to Windows negotiation with
  encrypted http using GSSAPI.

  [Test Case]

  create a file with some credentials:

  $ echo F23:guest:guest > ~/ntlmcreds.txt
  $ export NTLM_USER_FILE=~/ntlmcreds.txt
  $ python
  import gssapi

  spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2')
  c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate')
  tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service)
  ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept')

  seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate')
  seca = gssapi.SecurityContext(creds=ac, usage='accept')
  it = seci.step(token=None)
  ot = seca.step(token=it)
  it = seci.step(token=ot)
  ot = seca.step(token=it)
  it = seci.step(token=ot)

  e = seci.wrap("Secrets", True)
  o = seca.unwrap(e.message)

  o.message
  'Secrets'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1643708/+subscriptions

More information about the foundations-bugs mailing list