estokes / libgssapi Goto Github PK
View Code? Open in Web Editor NEWA safe MIT licensed binding to gssapi
License: MIT License
libgssapi's People
Contributors
Stargazers
Watchers
Forkers
dwink pimeys kiron1 cbruiz inejge aaronjanse losynix yangchenye323 3xx0 chuckatkins kimahriman sigmaris vruellolibgssapi's Issues
Can GSS-NTLMSSP be used?
https://github.com/gssapi/gss-ntlmssp
https://packages.debian.org/sid/amd64/gss-ntlmssp/filelist
/etc/gss/mech.d/mech.ntlmssp.conf
/usr/lib/x86_64-linux-gnu/gssntlmssp/gssntlmssp.so
/usr/share/doc/gss-ntlmssp/README.md
/usr/share/doc/gss-ntlmssp/changelog.Debian.gz
/usr/share/doc/gss-ntlmssp/copyright
/usr/share/man/man8/gssntlmssp.8.gz
cat /etc/gss/mech.d/mech.ntlmssp.conf
# NTLMSSP mechanism plugin
#
# NOTE: to activate the NTLM SSP mechanism do the following
# * FOR krb5 < 1.12: copy the content of this file in /etc/gss/mech
# * FOR krb5 >= 1.12: copy this file in /etc/gss/mech.d
#
# Mechanism Name Object Identifier Shared Library Path Other Options
gssntlmssp_v1 1.3.6.1.4.1.311.2.2.10 /usr/lib/x86_64-linux-gnu/gssntlmssp/gssntlmssp.so
Help using step
I'm trying to understand how to set up a complete client context, but I'm stuck. The test code is here: https://troels.arvin.dk/rust/libgssapi/1/. It tries to set up a gssapi context against a Kerberos-enabled database server.
I call the resulting little program like this:
gsstest "postgres/servername.somedomain.local"
The resulting output suggests that the first step goes well, but the second one fails:
client_ctx initially:
ClientCtx { ctx: 0x0, cred: CredInfo { name: [email protected], lifetime: 31161s, usage: Initiate, mechanisms: [GSS_MECH_KRB5] }, target: postgres/[email protected], flags: GSS_C_MUTUAL_FLAG, state: Uninitialized, mech: Some(GSS_MECH_KRB5) }
is_complete: false, s1: Some(Buf(gss_buffer_desc_struct { length: 1515, value: 0x55eaeaadd9c0 }))
s2: Err(Error { major: GSS_S_BAD_MECH | GSS_S_NO_CONTEXT | GSS_S_DEFECTIVE_TOKEN, minor: 100001 })
What have I misunderstood?
I know my Kerberos state of affairs is OK when running the test program, since I can connect to the database like this (not entering any password):
$ psql -h servername.somedomain.local
psql (14.3)
GSSAPI-encrypted connection
Type "help" for help.
troels=#
And output from "klist" includes this:
19-02-2023 13:06:15 19-02-2023 23:05:10 postgres/servername.somedomain.local@
renew until 26-02-2023 13:05:10
Ticket server: postgres/[email protected]
Provide versions of Contexts without internal Arc/Mutexes
currently, ServerContext/ClientContext wrap their contents into Arc<Mutex<...>>, but imo this should be a choice left to the user (who might e.g. not wrap it at all or additionally also wrap other stuff into it), as it incurs unnecessary overhead
Building fails on MacOS, example fails after fixing build
The build fails on MacOS after a brew install krb5 as homebrew installs into /usr/local/opt/krb5. After setting DYLD_FALLBACK_LIBRARY_PATH to /usr/local/opt/krb5 (which homebrew doesn't automatically recommend) the build still fails as krb5 builds .dylib files instead of .so. If libgssapi_krb5.dylab is renamed to libgssapi_krb5.so the build completes. However running the krb5 example segfaults with a EXC_BAD_ACCESS. Running through lldb it looks like the segfaults comes from libgssapi::oid::OidSet::add.
I don't have much experience binding to C libraries from Rust. Am I doing something crazy here or is something weird happening with the MacOS bindings? ๐
Rust 1.78 results in precondition check panic
After updating to rust 1.78, I started hitting a precondition check panic in my tests:
unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`
stack backtrace:
0: rust_begin_unwind
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/std/src/panicking.rs:645:5
1: core::panicking::panic_nounwind_fmt::runtime
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/panicking.rs:110:18
2: core::panicking::panic_nounwind_fmt
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/panicking.rs:123:9
3: core::panicking::panic_nounwind
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/panicking.rs:156:5
4: core::slice::raw::from_raw_parts::precondition_check
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/intrinsics.rs:2799:21
5: core::slice::raw::from_raw_parts
at /rustc/9b00956e56009bab2aa15d7bff10916599e3d6d6/library/core/src/slice/raw.rs:98:9
6: <libgssapi::util::Buf as core::ops::deref::Deref>::deref
at /Users/abinford/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libgssapi-0.7.0/src/util.rs:239:18
7: libgssapi::context::ClientCtx::step
at /Users/abinford/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libgssapi-0.7.0/src/context.rs:789:16
After some quick checks I think this might because they started enforcing the value of from_raw_parts to be non-null even if it's empty, and Buf::empty() uses a null pointer:
impl Buf {
pub(crate) fn empty() -> Buf {
Buf(gss_buffer_desc {
length: 0,
value: ptr::null_mut(),
})
}but then the check
self.state = ClientCtxState::Complete;
if out_tok.len() > 0 {
Ok(Some(out_tok))
} else {
Ok(None)
}fails because out_tok is empty and fails the precondition after being derefenced:
impl Deref for Buf {
type Target = [u8];
fn deref(&self) -> &Self::Target {
unsafe { slice::from_raw_parts(self.0.value.cast(), self.0.length as usize) }
}
}Just guessing, not 100% sure this is the exact issue.
Vendoring krb5?
Thanks very much for putting this together! Would you accept a PR that adds a vendored feature that builds GSSAPI from the krb5 sources?
compilation failing
hello!
when i tried the example from read me, the compilation is failing with below error message.
thread 'main' panicked at 'Unable to find libclang: "the `libclang` shared library at /usr/lib64/clang-private/libclang.so.7 could not be opened: libclangAST.so.7: cannot open shared object file: No such file or directory"'
I could see that the folder is available but not sure if its a permission issue. Is there an alternative i can consider to get this working?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.