SSPI Explodes with out of memory when passed a negotiate token instead of a native kerberos token about cross-krb5 HOT 13 CLOSED

No problem, I need to run some additional tests and then I'll cut a release.

from cross-krb5.

Sorry you're having an issue. I'm by no means an expert in windows much less SSPI, I read some api docs and wrote code :). That said this is a pretty strange error, considering it shouldn't take a lot or memory to accept a kerberos token, we're talking kbytes if that. I have never tried this code inside a hyper-v VM before, is it possible to try on bare metal, just to eliminate the VM from the equation? As far as "allocating more memory" to my knowledge the SSPI api does not include any memory management primitives or knobs. If you continue to have an issue I'd recommend you run the program with a memory profiler to find out where (and hopefully why) malloc is failing.

from cross-krb5.

a quick google search later reveals that our friends in the Python community hit this in 2011

https://mail.python.org/pipermail/python-win32/2011-April/011427.html

So maybe we can figure out that the token isn't a native Kerberos token and use it anyway, although it's not cross platform at that point, for users staying within the windows ecosystem that probably doesn't matter. If it's not possible to figure it out, then at least I should document that it only works with native Kerberos tokens.

from cross-krb5.

@Geobert an additional question for you. Is it correct that you did not generate the token with cross-krb5?

from cross-krb5.

@Geobert an additional question for you. Is it correct that you did not generate the token with cross-krb5?

Correct. I have a setup with a Windows Server with Active Directory, a Windows client that uses this AD for users management, on their own network. From the client, I trigger a browser that hit my app on server and I challenge the browser (which has been configured to do ntlm auth on the domain) and it sent me a token after getting it from AD.

It's supposed to use Kerberos but it's true that I'm unsure of it.

I'm not a specialist either, I'm learning on the go ^^

Here is the RFC: https://datatracker.ietf.org/doc/html/rfc4559

from cross-krb5.

Is there a way to do what the python mailing list suggest with this crate? I'm looking at the code and it doesn't seem so but I might be missing something.

I've also looked at libgssapi but from the doc, it seems to target unix only.

from cross-krb5.

There is a way, by altering the SSPI code, I need to think about how to do it without breaking everything else in the process. Microsoft decided not to support the standard gssapi interface when they introduced active directory in 2000, that's why we're having this fun conversation. If your application is windows only and will never need to interoperate with any other OS you can just use sspi directly, the api isn't as nice, but you can process any kind of token you want.

from cross-krb5.

I did a quick read of the code and I think to try the "python fix" all you'd have to do is change 'Kerberos' to 'Negotiate' in the credentials section of windows.rs, that seems to define the "package" which sets the token type.

from cross-krb5.

I did a quick read of the code and I think to try the "python fix" all you'd have to do is change 'Kerberos' to 'Negotiate' in the credentials section of windows.rs, that seems to define the "package" which sets the token type.

Thank you for your help! I'll try that tomorrow (my work day is finished here :D)

from cross-krb5.

It does work! I'm trying to find an elegant way to offer the choice, but it seems this would be Windows only.

My first idea was to add a method in ServerCtx with a windows only attribute. What do you think?

from cross-krb5.

something like that sounds promising, I'll give it some thought today.

from cross-krb5.

Try your app with the latest git, if it works for you I'll cut a release.

For posterity, I figured probably over time tons of these "little tweaks" will come up, so I just went ahead and added a bitflags arg to accept and initiate.

from cross-krb5.

Try your app with the latest git, if it works for you I'll cut a release.

For posterity, I figured probably over time tons of these "little tweaks" will come up, so I just went ahead and added a bitflags arg to accept and initiate.

Just did a test and it works, thank you very much for looking into this!

from cross-krb5.