pythongssapi / python-gssapi

A Python interface to RFC 2743/2744 (plus common extensions)
ISC License
104 stars 46 forks source link

gssapi.raw.add_cred_with_password() is missing on Windows #301

Closed nmariz closed 2 years ago

nmariz commented 2 years ago

What went wrong?

gssapi.raw.add_cred_with_password() is missing on Windows platform.

How do we reproduce?

input_creds = gssapi.Credentials()
acquire_cred_result = gssapi.raw.add_cred_with_password(
    input_creds, user, gssapi.MechType.kerberos, password
)

It will raise:

AttributeError: module 'gssapi.raw' has no attribute 'add_cred_with_password'

You can also notice notice the existence of ext_password_add.pyi but not of ext_password_add.cp310-win_amd64.pyd.

Component versions (python-gssapi, Kerberos, OS / distro, etc.)

The installation made using pip install gssapi.

jborean93 commented 2 years ago

The MIT Windows build does not expose gss_add_cred_with_password in it's symbols so when the sdist is built it is done without this optional extension.

C:\Program Files\Microsoft Visual Studio\2022\Community>dumpbin.exe /EXPORTS "C:\Program Files\MIT\Kerberos\bin\gssapi64.dll"
Microsoft (R) COFF/PE Dumper Version 14.31.31105.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file C:\Program Files\MIT\Kerberos\bin\gssapi64.dll

File Type: DLL

  Section contains the following exports for gssapi64.dll

    00000000 characteristics
    57683943 time date stamp Mon Jun 20 18:43:15 2016
        0.00 version
           1 ordinal base
         148 number of functions
         148 number of names

    ordinal hint RVA      name

         56    0 00061C40 GSS_C_ATTR_LOCAL_LOGIN_USER
        107    1 00060B20 GSS_C_INQ_SSPI_SESSION_KEY
        108    2 00060B70 GSS_C_MA_AUTH_INIT
        109    3 00060B90 GSS_C_MA_AUTH_INIT_ANON
        110    4 00060B80 GSS_C_MA_AUTH_INIT_INIT
        111    5 00060B78 GSS_C_MA_AUTH_TARG
        112    6 00060B98 GSS_C_MA_AUTH_TARG_ANON
        113    7 00060B88 GSS_C_MA_AUTH_TARG_INIT
        114    8 00060BE0 GSS_C_MA_CBINDINGS
        115    9 00060BF0 GSS_C_MA_COMPRESS
        116    A 00060BB0 GSS_C_MA_CONF_PROT
        117    B 00060BF8 GSS_C_MA_CTX_TRANS
        118    C 00060BA0 GSS_C_MA_DELEG_CRED
        119    D 00060B58 GSS_C_MA_DEPRECATED
        120    E 00060BA8 GSS_C_MA_INTEG_PROT
        121    F 00060B68 GSS_C_MA_ITOK_FRAMED
        122   10 00060B38 GSS_C_MA_MECH_COMPOSITE
        123   11 00060B28 GSS_C_MA_MECH_CONCRETE
        124   12 00060B48 GSS_C_MA_MECH_GLUE
        125   13 00060B40 GSS_C_MA_MECH_NEGO
        126   14 00060B30 GSS_C_MA_MECH_PSEUDO
        127   15 00060BB8 GSS_C_MA_MIC
        128   16 00060B60 GSS_C_MA_NOT_DFLT_MECH
        129   17 00060B50 GSS_C_MA_NOT_MECH
        130   18 00060BD8 GSS_C_MA_OOS_DET
        131   19 00060BE8 GSS_C_MA_PFS
        132   1A 00060BC8 GSS_C_MA_PROT_READY
        133   1B 00060BD0 GSS_C_MA_REPLAY_DET
        134   1C 00060BC0 GSS_C_MA_WRAP
          1   1D 00060B00 GSS_C_NT_ANONYMOUS
        147   1E 00060B18 GSS_C_NT_COMPOSITE_EXPORT
          2   1F 00060B08 GSS_C_NT_EXPORT_NAME
          3   20 00060AF0 GSS_C_NT_HOSTBASED_SERVICE
          4   21 00060AE0 GSS_C_NT_HOSTBASED_SERVICE_X
          5   22 00060AC0 GSS_C_NT_MACHINE_UID_NAME
          6   23 00060AD0 GSS_C_NT_STRING_UID_NAME
          7   24 00060AB0 GSS_C_NT_USER_NAME
          8   25 00048A00 GSS_KRB5_NT_PRINCIPAL_NAME
          9   26 0001D974 gss_accept_sec_context
         10   27 00013B74 gss_acquire_cred
        139   28 00013BF4 gss_acquire_cred_from
         70   29 000167CC gss_acquire_cred_impersonate_name
         71   2A 00020A70 gss_acquire_cred_with_password
         72   2B 0001ED7C gss_add_buffer_set_member
         11   2C 00014114 gss_add_cred
        140   2D 000141B4 gss_add_cred_from
         73   2E 00016D1C gss_add_cred_impersonate_name
         12   2F 0001EA8C gss_add_oid_set_member
         13   30 00020150 gss_canonicalize_name
         14   31 0001C358 gss_compare_name
         74   32 00017690 gss_complete_auth_token
         15   33 0001D62C gss_context_time
         75   34 0001ED4C gss_create_empty_buffer_set
         16   35 0001EA3C gss_create_empty_oid_set
         76   36 00015F34 gss_delete_name_attribute
         17   37 0001D70C gss_delete_sec_context
         77   38 000151A8 gss_display_mech_attr
         18   39 0001C0EC gss_display_name
         78   3A 000164B4 gss_display_name_ext
         19   3B 0001C7F8 gss_display_status
         20   3C 000194D0 gss_duplicate_name
        142   3D 000130B0 gss_export_cred
         21   3E 000197C8 gss_export_name
         79   3F 00015E40 gss_export_name_composite
         22   40 0001B2B8 gss_export_sec_context
         23   41 0001D45C gss_get_mic
        144   42 00017A28 gss_get_mic_iov
        145   43 00017B38 gss_get_mic_iov_length
         80   44 00016114 gss_get_name_attribute
        143   45 00012AA8 gss_import_cred
         24   46 0001B764 gss_import_name
         25   47 0001AEDC gss_import_sec_context
         26   48 00001628 gss_indicate_mechs
         81   49 00014C48 gss_indicate_mechs_by_attrs
         27   4A 0001E358 gss_init_sec_context
         82   4B 00014FF8 gss_inquire_attrs_for_mech
         28   4C 0001A274 gss_inquire_context
         29   4D 0001A9A8 gss_inquire_cred
         30   4E 0001ACE8 gss_inquire_cred_by_mech
         83   4F 00019168 gss_inquire_cred_by_oid
         84   50 000157D8 gss_inquire_mech_for_saslname
         31   51 0001A708 gss_inquire_mechs_for_name
         85   52 000162F4 gss_inquire_name
         32   53 0001A5F8 gss_inquire_names_for_mech
         86   54 000151E8 gss_inquire_saslname_for_mech
         87   55 00019400 gss_inquire_sec_context_by_oid
         33   56 000473E8 gss_krb5_ccache_name
         34   57 000470D8 gss_krb5_copy_ccache
         35   58 000471E8 gss_krb5_export_lucid_sec_context
         36   59 00047458 gss_krb5_free_lucid_sec_context
         37   5A 00047008 gss_krb5_get_tkt_flags
         90   5B 00047148 gss_krb5_import_cred
         38   5C 00047378 gss_krb5_set_allowable_enctypes
         91   5D 000476A8 gss_krb5_set_cred_rcache
        138   5E 00019878 gss_localname
         92   5F 00015D1C gss_map_name_to_any
        135   60 000489E8 gss_mech_iakerb
         39   61 000489D0 gss_mech_krb5
         40   62 000489D8 gss_mech_krb5_old
         41   63 000489E0 gss_mech_krb5_wrong
         42   64 00048A08 gss_mech_set_krb5
         43   65 00048A58 gss_mech_set_krb5_both
         44   66 00048A50 gss_mech_set_krb5_old
        136   67 00060B10 gss_nt_exported_name
         45   68 000489F0 gss_nt_krb5_name
         46   69 000489F8 gss_nt_krb5_principal
         47   6A 00060AC8 gss_nt_machine_uid_name
         48   6B 00060AF8 gss_nt_service_name
        137   6C 00060AE8 gss_nt_service_name_v2
         49   6D 00060AD8 gss_nt_string_uid_name
         50   6E 00060AB8 gss_nt_user_name
         51   6F 0001EB2C gss_oid_to_str
         52   70 0001D86C gss_process_context_token
         93   71 00015AD8 gss_pseudo_random
         94   72 00015C08 gss_release_any_name_mapping
         53   73 0001ECA0 gss_release_buffer
         95   74 0001EDBC gss_release_buffer_set
         54   75 0001E884 gss_release_cred
         96   76 00017C48 gss_release_iov_buffer
         55   77 0001B5E8 gss_release_name
        148   78 00001328 gss_release_oid
         57   79 00012988 gss_release_oid_set
         58   7A 00019ECC gss_seal
         97   7B 000206C8 gss_set_cred_option
         98   7C 00016018 gss_set_name_attribute
         99   7D 0001599C gss_set_neg_mechs
        100   7E 00018F78 gss_set_sec_context_option
         59   7F 0001D5EC gss_sign
        101   80 000134B4 gss_store_cred
        141   81 00013534 gss_store_cred_into
         60   82 0001EB8C gss_str_to_oid
         61   83 0001EAEC gss_test_oid_set_member
         62   84 0001D2B0 gss_unseal
         63   85 0001D0B0 gss_unwrap
        102   86 00018384 gss_unwrap_aead
        103   87 00017D20 gss_unwrap_iov
         64   88 0001D41C gss_verify
         65   89 0001D2FC gss_verify_mic
        146   8A 00017E90 gss_verify_mic_iov
         66   8B 00019C5C gss_wrap
        104   8C 00018D0C gss_wrap_aead
        105   8D 00017748 gss_wrap_iov
        106   8E 000178E8 gss_wrap_iov_length
         67   8F 00019F2C gss_wrap_size_limit
         88   90 00047708 gsskrb5_extract_authtime_from_sec_context
         89   91 00047528 gsskrb5_extract_authz_data_from_sec_context
         68   92 00048950 krb5_gss_oid_array
         69   93 000474B8 krb5_gss_register_acceptor_identity

I tested this against the latest version of MIT Kerberos for Windows (4.1) and it explains why this functionality is not available there. The docs state MIT Kerberos for Windows 4.1 is based on MIT krb5 1.13

The KfW 4.1 series of releases is based on the MIT krb5 1.13 series of releases, modernizing the support relative to the KfW 4.0 series, which was based on the MIT krb5 1.10 series.

The gss_add_cred_with_password function was introduced in an earlier version (1.12 I think) but there was a bug where it wasn't publicly exported. This was fixed with https://github.com/krb5/krb5/commit/266cce14ee39f6d11b186ee988cffd0c2a119f3d but based on the tags is only present in krb5-1.14 and kfw-4.2 (which kfw has no release at this version yet).

image

There's nothing this project can do about this. You either need to ask the maintainers for MIT kfw to push a new version with this fix present or use another Windows Kerberos library which is untested by this Python module.