[Bug 1643708] Update Released

Andy Whitcroft apw at canonical.com
Mon Jan 23 16:03:21 UTC 2017 

The verification of the Stable Release Update for krb5 has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1643708

Title:
  Add SPNEGO special case for NTLMSSP+MechListMIC

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Trusty:
  Fix Released
Status in krb5 source package in Xenial:
  Fix Released
Status in krb5 source package in Yakkety:
  Fix Released

Bug description:
  [Impact]
  MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
  needs to implement specifically for the NTLMSSP mechanism.  This is
  required for compatibility with Windows services.

  Upstream commit:
  https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7

  We've run into this issue with Linux to Windows negotiation with
  encrypted http using GSSAPI.

  [Test Case]

  create a file with some credentials:

  $ echo F23:guest:guest > ~/ntlmcreds.txt
  $ export NTLM_USER_FILE=~/ntlmcreds.txt
  $ python
  import gssapi

  spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2')
  c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate')
  tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service)
  ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept')

  seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate')
  seca = gssapi.SecurityContext(creds=ac, usage='accept')
  it = seci.step(token=None)
  ot = seca.step(token=it)
  it = seci.step(token=ot)
  ot = seca.step(token=it)
  it = seci.step(token=ot)

  e = seci.wrap("Secrets", True)
  o = seca.unwrap(e.message)

  o.message
  'Secrets'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1643708/+subscriptions

More information about the foundations-bugs mailing list