Use only a service ticket to authenticate

mongodb / winkerberos

A native Kerberos client implementation for Python on Windows

Apache License 2.0

54 stars 15 forks source link

Use only a service ticket to authenticate #48

Closed CravateRouge closed 2 years ago

CravateRouge commented 2 years ago

For now, winkerberos seems to need a TGT to authenticate to a service but a service ticket should be enough. For example when I'm trying to connect to a LDAP AD service:

 _, ctx = winkerberos.authGSSClientInit("ldap/WIN-IJ5B521UO5L@BLOODY.LOCAL", principal="Administrator@BLOODY.LOCAL")
winkerberos.GSSError: SSPI: AcquireCredentialsHandle: No credentials are available in the security package

However, I've the following service ticket available:

#0>     Client: Administrator @ BLOODY.LOCAL
        Server: ldap/WIN-IJ5B521UO5L @ BLOODY.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x804a0000 -> reserved initial 0xa0000
        Start Time: 3/12/2022 12:38:17 (local)
        End Time:   3/12/2022 22:37:12 (local)
        Renew Time: 0
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

Would it be possible to add support for this use case?

behackett commented 2 years ago

What happens if you don't pass the principal argument?

CravateRouge commented 2 years ago

Here is the use case:

I call winkerberos.authGSSClientInit("ldap@WIN-IJ5B521UO5L.bloody.local")
The server returns a LDAPAuthMethodNotSupportedResult - 7 - authMethodNotSupported because I don't have a ticket for this SPN
Then, even if I correct the call and do winkerberos.authGSSClientInit("ldap/WIN-IJ5B521UO5L@BLOODY.LOCAL")
This function returns winkerberos.GSSError: SSPI: InitializeSecurityContext: No credentials are available in the security package
However if I do a klist, I still have a ticket as you saw in my previous comment and if I purge and reload the same ticket it works like a charm (using the correct SPN)

It's like winkerberos has it's own cache based on the Windows one and once an authentication error is linked to it, it will ignore the ticket even if it's a valid one. Could you enlighten me on this?

behackett commented 2 years ago

WinKerberos doesn't have a ticket cache of its own. It just calls SSPI functions to do its work. It supports both RFC-2078 format for the service param or SPN format. Does ldap@WIN-IJ5B521UO5L.BLOODY.LOCAL work?

CravateRouge commented 2 years ago

No, ldap@WIN-IJ5B521UO5L.BLOODY.LOCAL is not recognized by the KDC, so I can't request a service ticket for it.

But what's bugging me is the weird behavior of needing to reload the service ticket when there was a failed attempt with the wrong SPN.

CravateRouge commented 2 years ago

winkerberos.authGSSClientInit("ldap@WIN-IJ5B521UO5L.bloody.local") works like a charm since 0.9.0