Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replacing pywin32's sspi with winkerberos leads to exception #19

Closed
genotrance opened this issue Oct 24, 2017 · 7 comments
Closed

Replacing pywin32's sspi with winkerberos leads to exception #19

genotrance opened this issue Oct 24, 2017 · 7 comments

Comments

@genotrance
Copy link

This may not really be an issue but found no other way to communicate. I'm trying to replace pywin32's SSPI implementation within Px with winkerberos due to this issue.

I have the following code:-

class NtlmMessageGenerator2:
    def __init__(self, user=None):
        if not user:
            user = win32api.GetUserName()
        status, self.ctx = winkerberos.authGSSClientInit("NTLM", gssflags=0)

    def create_auth_request(self):
        status = winkerberos.authGSSClientStep(self.ctx, "")
        if status == winkerberos.AUTH_GSS_COMPLETE:
            return winkerberos.authGSSClientResponse(self.ctx)

        return None

    def create_challenge_response(self, challenge):
        status = winkerberos.authGSSClientStep(self.ctx, challenge)
        if status == winkerberos.AUTH_GSS_COMPLETE:
            return winkerberos.authGSSClientResponse(self.ctx)

        return None

However, it fails as follows:-

Exception happened during processing of request from ('127.0.0.1', 54674)
Traceback (most recent call last):
  File "C:\Miniconda\lib\socketserver.py", line 639, in process_request_thread
    self.finish_request(request, client_address)
  File "C:\Miniconda\lib\socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "C:\Miniconda\lib\socketserver.py", line 696, in __init__
    self.handle()
  File "C:\Miniconda\lib\http\server.py", line 418, in handle
    self.handle_one_request()
  File "px.py", line 133, in handle_one_request
    httpserver.SimpleHTTPRequestHandler.handle_one_request(self)
  File "C:\Miniconda\lib\http\server.py", line 406, in handle_one_request
    method()
  File "px.py", line 381, in do_CONNECT
    resp, headers, body = self.do_transaction()
  File "px.py", line 301, in do_transaction
    "Proxy-Authorization": "NTLM %s" % ntlm.create_auth_request()
  File "px.py", line 117, in create_auth_request
    status = winkerberos.authGSSClientStep(self.ctx, "")
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

Is NTLM not a valid service endpoint? It works fine with pywin32 (except for that issue with Python 3.6+). I'm running this on Windows 10.

Thanks in advance.
@behackett
Copy link
Member

WinKerberos is not a re-implementation of pywin32's SSPI interface. All it does is re-implement PyKerberos on SSPI. It is designed to do Kerberos auth, not NTLM. That said, you can pass mech_oid=winkerberos.GSS_MECH_OID_SPNEGO to authGSSClientInit. That initializes the credentials for "Negotiate" mode, presumably for client / server setups that will negotiate to use Kerberos.

@behackett
Copy link
Member

behackett commented Oct 24, 2017
edited
Loading

This definitely is not correct:

status, self.ctx = winkerberos.authGSSClientInit("NTLM", gssflags=0)

The first parameter is a GSSAPI service principal, <service>@<hostname>. See the docs here:

https://github.com/mongodb-labs/winkerberos/blob/0.7.0/src/winkerberos.c#L200-L264

@genotrance
Copy link
Author

Thanks to your earlier comment, I got this working.

status, self.ctx = winkerberos.authGSSClientInit("NTLM", gssflags=0,
  mech_oid=winkerberos.GSS_MECH_OID_SPNEGO)

Setting service = "NTLM" works fine since I'm authenticating locally.

I've posted my changes (see class NtlmMessageGenerator) which can be used as a reference for using pywin32 SSPI and winkerberos interchangeably for local NTLM auth without a password.

Thanks a bunch for your quick reply and the great work with winkerberos.

@behackett
Copy link
Member

Neat. I'm glad this project is useful for you.

@genotrance
Copy link
Author

Hello @behackett, considering I have mech_oid=winkerberos.GSS_MECH_OID_SPNEGO, does it mean that winkerberos will figure out whether it should use Kerberos vs. NTLM authentication depending on how the client is setup? Looks like that is how it should be working.

I've been requested to add Kerberos support to Px but I believe it should work as is. Unfortunately I have no way to check since I don't have a setup to verify against.

Any advise is greatly appreciated, thanks in advance.

@behackett
Copy link
Member

behackett commented Feb 16, 2018
edited
Loading

That is how it should work AFAICT. GSS_MECH_OID_SPENGO was added to match PyKerberos. I've tested it against a krb5 KDC successfully, but I don't have an NTLM environment to test it with, and WinKerberos wasn't created for NTLM.

@genotrance
Copy link
Author

Thanks for getting back, ya I hope the issue submitter will try out Px in his setup and it just works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@genotrance @behackett