Le 02/02/2023 à 07:18, Andrey Af via FreeRDP-devel a écrit :
Hi All,
Today I checked the version from master. I see a lot of work with
kerberos support.
I have a question - why does the client ask the password? I have a
principal ticket, this should be enough for kerberos authentication.
Client logs:
[DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]:
Enabling security layer negotiation: TRUE
[DEBUG][com.freerdp.core.nego] -
[nego_set_restricted_admin_mode_required]: Enabling restricted admin
mode: FALSE
[DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA
extended security: FALSE
[DEBUG][com.freerdp.core.connection] -
[rdp_client_transition_to_state]: CONNECTION_STATE_INITIAL -->
CONNECTION_STATE_NEGO
[DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA
[DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA security
[DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
freerdp_tcp_is_hostname_resolvable resetting error state
[DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
freerdp_tcp_default_connect resetting error state
[DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting
to peer 192.168.55.110
[DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]:
RequestedProtocols: 3
[DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]:
RDP_NEG_RSP::flags = { [0x03]
|EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED }
[DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2
[DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state: NEGO_STATE_FINAL
[DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security
[DEBUG][com.freerdp.core.nego] - [nego_security_connect]:
nego_security_connect with PROTOCOL_HYBRID
[DEBUG][com.freerdp.crypto] - [useKnownHosts]: known_hosts=1
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL
--> NLA_STATE_INITIAL
[DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]: InitSecurityInterfaceExA
[DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package:
Negotiate (cbMaxToken: 12256 bytes)
[DEBUG][com.winpr.utils] - [SamOpen]: Could not open SAM file!
Password: ????
Hi,
I understand (and share) the frustration with this required password. So
far we've not found a way to avoid that: FreeRDP is multi-platform and
typically on windows we always need the password, and with the design
that we have (at least for now), we can't say for sure that the password
will not be needed when doing NLA (also don't forget that with SPNego we
don't know which algorithm will be used).
Also, if I use a key "/auth-pkg-list:!ntlm,kerberos", the client crashes.
Thread 2 "xfreerdp" received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0 0x00007ffff5ca9fd6 in __strcmp_sse42 () from /usr/bin/../lib64/libc.so.6
#1 0x00007ffff5ff94e7 in negotiate_AcquireCredentialsHandleA
(pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
ptsExpiry=0x0)
at freerdp-3.0.0/winpr/libwinpr/sspi/Negotiate/negotiate.c:1418
#2 0x00007ffff5fff3c9 in winpr_AcquireCredentialsHandleA
(pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
ptsExpiry=0x0)
at freerdp-3.0.0/winpr/libwinpr/sspi/sspi_winpr.c:1327
Can you report an issue for that, that's most probably a bug related to
recent unicode convertion changes.
Best regards.
--
David FORT
website: https://www.hardening-consulting.com/
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
