Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-07-09 Thread Eliezer Croitoru 

Mike,

It's better to have some noise around rather then slow and deadly 
silence.


Eliezer

On 2018-06-28 18:02, Mike Surcouf wrote:

Adding to this after testing more I realised that adcli does not lower
case the SPN.
I am not sure how I came to that conclusion sorry for noise.

-Original Message-
From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On
Behalf Of Mike Surcouf
Sent: 28 June 2018 09:28
To: 'Amos Jeffries'
Cc: squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] Support lower case http/ spn format for
realmd/adcli join support.

Hi Amos thanks for that I need to correct you on the REALM bit though.

The bit before the slash in an SPN (service principal name) is SERVICE 
not REALM


So for a computer that has a
service =service
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

service/somecomputer.example@example.com

So for a computer that has a
service =HTTP
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

HTTP/somecomputer.example@example.com
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


--

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-28 Thread Mike Surcouf 
Adding to this after testing more I realised that adcli does not lower case the 
SPN. 
I am not sure how I came to that conclusion sorry for noise.

-Original Message-
From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf Of 
Mike Surcouf
Sent: 28 June 2018 09:28
To: 'Amos Jeffries'
Cc: squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] Support lower case http/ spn format for realmd/adcli 
join support.

Hi Amos thanks for that I need to correct you on the REALM bit though.

The bit before the slash in an SPN (service principal name) is SERVICE not REALM

So for a computer that has a 
service =service
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

service/somecomputer.example@example.com

So for a computer that has a 
service =HTTP
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

HTTP/somecomputer.example@example.com
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-28 Thread Mike Surcouf 
Hi Amos thanks for that I need to correct you on the REALM bit though.

The bit before the slash in an SPN (service principal name) is SERVICE not REALM

So for a computer that has a 
service =service
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

service/somecomputer.example@example.com

So for a computer that has a 
service =HTTP
fqdn= SomeComputer.example.com
REALM= EXAMPLE.COM

HTTP/somecomputer.example@example.com
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-27 Thread Amos Jeffries 
On 28/06/18 08:24, Mike Surcouf wrote:
> Thanks Amos for your comprehensive reply..  open SSH requires lower case
> host/ and as you say windows doesn't seem to care so they solved it for
> that case but seems that uppercase is the convention for HTTP.
>   Do you have an official reference for HTTP/. As the official uppercase
> format of SPN for http protocol.i will then file a bug on the adcli repo.
> 


If I'm understanding the descriptions right it is
 .

with the SPN being "realm/principal"

6.1 says realm is case sensitive.

6.2 says principal is case insensitive and syntax may be of several
types, one of those being:

  principal = name '@' host

I am taking an educated guess that since the resulting syntax of those
would look like REALM/somen...@example.org that is what the SPN string
is based on.



The case of "HTTP" as in transport is RFC 7230. Specifically section 2.6
() where the exact
octets are prescribed:

"
 HTTP-name = %x48.54.54.50 ; "HTTP", case-sensitive
"

Anything else is non-compliant with HTTP and may contain arbitrary other
errors in both syntax and behaviour - handle at own risk, etc.


Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-27 Thread Mike Surcouf 
Thanks Amos for your comprehensive reply..  open SSH requires lower case host/ 
and as you say windows doesn't seem to care so they solved it for that case but 
seems that uppercase is the convention for HTTP.
  Do you have an official reference for HTTP/. As the official uppercase format 
of SPN for http protocol.i will then file a bug on the adcli repo.

On 27 Jun 2018 7:11 pm, Amos Jeffries  wrote:
On 27/06/18 06:53, Mike Surcouf wrote:
> Correction
>
>> supports lowercases all SPNs
>
> should read
>
> lowercases all SPNs (you don’t have an option)
>
> so it always produces http/hostn...@realm.com
>
> This is a conscious decision by the adcli team
>
> https://bugs.freedesktop.org/show_bug.cgi?id=84749
>

I don't see any explicit decision by them to use only lower-case. Just
statements that AD accepts case-insensitive inputs so they don't care to
do anything special.


Case insensitivity is a Microsoft custom extension. It cannot be relied
on in non-MS software :
"
Service Principal Names (SPNs) are not case sensitive when used by
Microsoft Windows-based computers. However, an SPN can be used by any
type of computer system. Many of these computer systems, especially
UNIX-based systems, are case-sensitive and require the proper case to
function properly. Care should be taken to use the proper case
particularly when an SPN can be used by a non-Windows-based computer.

Refer this: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx
"


Squid also does not parse these details itself. The library being used
by the helper is responsible for all processing of the local machines
keytab. Squid only parses a token of opaque bytes from HTTP message
headers and passes it as opaque string it to the auth helpers. Our
Kerberos helpers use several libraries, and the one which you are using
apparently has case sensitivity for the SPN.



On the technical side:

Kerberos documents just defer to the protocols where the elements of SPN
are sourced. So some segments in the SPN are case sensitive and others
are not, depending on what type of use the SPN is put.
 eg DNS defines hostname as insensitive, so that part is. Some auth
systems define realm as insensitive, others as case-sensitive - so that
part *might be* (or not. ouch!).


FWIW, following that deferrance style - the HTTP protocol defines its
protocol name as case-sensitive and has a significant difference between
"HTTP" (transport / messaging syntax) and "http" (URL scheme/syntax,
possibly used over non-HTTP transports).

So technically / in theory:
 * if the SPN is for access to HTTP transport (as Squid SPN are)
   - then the "HTTP/" portion should be upper case only.

 * if the SPN is for use of http:// resource URLs (eg, as opposed to
ftp:// URLs fetched with HTTP)
 - it can be any case.


Squid does not go to that second URL-specific level of detail with
authentication and SPNs. Also, since one is required upper case, and the
other doesn't matter going upper case would be the best choice for us if
we did normalize rather than handle as opaque strings anyway.


HTH
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-27 Thread Amos Jeffries 
On 27/06/18 06:53, Mike Surcouf wrote:
> Correction
> 
>> supports lowercases all SPNs
> 
> should read 
> 
> lowercases all SPNs (you don’t have an option)
> 
> so it always produces http/hostn...@realm.com
> 
> This is a conscious decision by the adcli team
> 
> https://bugs.freedesktop.org/show_bug.cgi?id=84749
> 

I don't see any explicit decision by them to use only lower-case. Just
statements that AD accepts case-insensitive inputs so they don't care to
do anything special.


Case insensitivity is a Microsoft custom extension. It cannot be relied
on in non-MS software :
"
Service Principal Names (SPNs) are not case sensitive when used by
Microsoft Windows-based computers. However, an SPN can be used by any
type of computer system. Many of these computer systems, especially
UNIX-based systems, are case-sensitive and require the proper case to
function properly. Care should be taken to use the proper case
particularly when an SPN can be used by a non-Windows-based computer.

Refer this: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx
"


Squid also does not parse these details itself. The library being used
by the helper is responsible for all processing of the local machines
keytab. Squid only parses a token of opaque bytes from HTTP message
headers and passes it as opaque string it to the auth helpers. Our
Kerberos helpers use several libraries, and the one which you are using
apparently has case sensitivity for the SPN.



On the technical side:

Kerberos documents just defer to the protocols where the elements of SPN
are sourced. So some segments in the SPN are case sensitive and others
are not, depending on what type of use the SPN is put.
 eg DNS defines hostname as insensitive, so that part is. Some auth
systems define realm as insensitive, others as case-sensitive - so that
part *might be* (or not. ouch!).


FWIW, following that deferrance style - the HTTP protocol defines its
protocol name as case-sensitive and has a significant difference between
"HTTP" (transport / messaging syntax) and "http" (URL scheme/syntax,
possibly used over non-HTTP transports).

So technically / in theory:
 * if the SPN is for access to HTTP transport (as Squid SPN are)
   - then the "HTTP/" portion should be upper case only.

 * if the SPN is for use of http:// resource URLs (eg, as opposed to
ftp:// URLs fetched with HTTP)
 - it can be any case.


Squid does not go to that second URL-specific level of detail with
authentication and SPNs. Also, since one is required upper case, and the
other doesn't matter going upper case would be the best choice for us if
we did normalize rather than handle as opaque strings anyway.


HTH
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-26 Thread Mike Surcouf 
Correction

> supports lowercases all SPNs

should read 

lowercases all SPNs (you don’t have an option)

so it always produces http/hostn...@realm.com

This is a conscious decision by the adcli team

https://bugs.freedesktop.org/show_bug.cgi?id=84749


-Original Message-
From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf Of 
Mike Surcouf
Sent: 26 June 2018 19:37
To: 'squid-dev@lists.squid-cache.org'
Subject: [squid-dev] Support lower case http/ spn format for realmd/adcli join 
support.

This can be seen here but also applies to other helpers that use Kerberos.

https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc#L490

adcli (which realmd uses for AD joins)  supports lowercases all SPNs when 
adding them to a keytab.
Whether HTTP/ or http/ SPNs are valid is up for debate and really depends on 
the convention of the tool in question but I see no harm in supporting 
lowercase http/ in addition to HTTP/ SPNs.
As far as I can see even supplying your own SPN does not allow http/ (lowercase)

This would provide compatibility with adcli and realmd join which are common 
tools for AD management on CentOS/RHEL.

Thanks

Mike

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Support lower case http/ spn format for realmd/adcli join support.

2018-06-26 Thread Mike Surcouf 
This can be seen here but also applies to other helpers that use Kerberos.

https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc#L490

adcli (which realmd uses for AD joins)  supports lowercases all SPNs when 
adding them to a keytab.
Whether HTTP/ or http/ SPNs are valid is up for debate and really depends on 
the convention of the tool in question but I see no harm in supporting 
lowercase http/ in addition to HTTP/ SPNs.
As far as I can see even supplying your own SPN does not allow http/ (lowercase)

This would provide compatibility with adcli and realmd join which are common 
tools for AD management on CentOS/RHEL.

Thanks

Mike

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev