go-mssqldb

[keith6014]

Was wondering if its possible to use gokrb5 with https://github.com/denisenkom/go-mssqldb. The library has documentation about kerberos but not too much. I know you don't own the library but was wondering if its similar to use http connection with a dbms connection.

[keith6014]

any thoughts?

[jcmturner]

I had a dig around in the code of go-mssqldb and got a bit lost in how the pluggable the authentication layer is. I think we'd need assistance from maintainers on that project to integrate something. Have you been in contact with them?

[keith6014]

yeah i have, https://github.com/denisenkom/go-mssqldb/issues/383

[keith6014]

so, i got some info from the author. i barely understand it. any ideas on your end?

[keith6014]

@jcmturner any thoughts?

[jcmturner]

I checked the issue you raised against the go-mssqldb project and it doesn't mean too much to me either. I think we need that project to add the enhancement to their codebase

[denisenkom]

Hi, I am working on Kerberos support for go-mssqldb. I am trying to understand how I can integrate with gokrb5. MSSQL supports SPNEGO mechanism, so I think I would use gssapi.GetSPNEGOKrbNegTokenInit(creds, tkt, key).Marshal() function to generate initial SPNEGO packet and send it to server. MSSQL server will respond with NegTokenResp which I can parse with gssapi.Unmarshal. Now I can check negState field and if it has accept-completed or reject values I can act accordingly, but I don't know what to do if I get accept-incomplete or request-mic values, can you provide some guidance?

[keith6014]

hey @jcmturner , any thoughts? any help would be appreciated.

[keith6014]

any thoughts @jcmturner ?

[jcmturner]

I've not had any time to look at this one yet. Have you had any input from the owner of go-mssqldb?

[denisenkom]

Hi @jcmturner, I am the owner of go-mssqldb. Please see my comment on same thread: https://github.com/jcmturner/gokrb5/issues/125#issuecomment-412310578

[jcmturner]

@denisenkom I've been reading up on the negotiation mechanism again to refresh my memory.

When using the GetSPNEGOKrbNegTokenInit function the init message generated will only specify one mechanism (krb5) and will also include the krb5 authentication token in the initial message. When this is included you should not expect to see accept-incomplete response as this is returned when the negotiation of the mechanism has been agreed but the auth token not yet passed. Therefore I think you can code to not expect to see this response and error gracefully if just in case you do.

As for the request-mic response I have not implemented handling of MIC tokens as described at https://tools.ietf.org/html/rfc4178#section-5. Is this needed for AD integrated auth in MSSQL?

[keith6014]

@denisenkom how are you doing? does @jcmturner suggestion help?