implement kerberos auth for server (and proxy) including constrained delegation #381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…side krb5 and strip ports of server, sniff auth type if undefined
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -830,7 +830,8 @@ | |||
| req.security_mode = (uint8_t)smb2->security_mode; | |||
|
|
|||
| if (smb2->sec == SMB2_SEC_NTLMSSP) { | |||
| /*ntlmssp_set_spnego_wrapping(c_data->auth_data, 1);*/ | |||
| /* do this to wrap in spnego if needed */ | |||
| /*tlmssp_set_spnego_wrapping(c_data->auth_data, 1);*/ | |||
Check notice
Code scanning / CodeQL
Commented-out code Note
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This provides for krb5 authentication to libsmb2 server and can co-exist with local ntlmssp auth in the case krb5 ntlmssp isnt installed. TODO - detect if krb5 can handle ntlmssp and offload to krb5 in that case. Need to figure a way to ask krb5 lib if it can do that.
Also provides for constrained delegation in proxy use-case where the original client credentials can be used to get a proxy credential to use for proxy client to actual server.
Adds a "suppress_errors" flag to ntlmssp message type sniffing to allow for auto-detect of auth method during negotiation by using the get-message-type function to determine if a valid ntmssp message is in a blob