gokrb5 icon indicating copy to clipboard operation
gokrb5 copied to clipboard

Published 20 hours ago verified publisher icon jcmturner

go-mssqldb

Open keith6014 opened this issue 6 years ago • 13 comments

Was wondering if its possible to use gokrb5 with https://github.com/denisenkom/go-mssqldb. The library has documentation about kerberos but not too much. I know you don't own the library but was wondering if its similar to use http connection with a dbms connection.

keith6014 avatar May 25 '18 12:05 keith6014

any thoughts?

keith6014 avatar May 31 '18 00:05 keith6014

I had a dig around in the code of go-mssqldb and got a bit lost in how the pluggable the authentication layer is. I think we'd need assistance from maintainers on that project to integrate something. Have you been in contact with them?

jcmturner avatar Jun 02 '18 19:06 jcmturner

yeah i have, https://github.com/denisenkom/go-mssqldb/issues/383

keith6014 avatar Jun 04 '18 01:06 keith6014

so, i got some info from the author. i barely understand it. any ideas on your end?

keith6014 avatar Jun 25 '18 02:06 keith6014

@jcmturner any thoughts?

keith6014 avatar Jul 17 '18 01:07 keith6014

I checked the issue you raised against the go-mssqldb project and it doesn't mean too much to me either. I think we need that project to add the enhancement to their codebase

jcmturner avatar Jul 18 '18 17:07 jcmturner

Hi, I am working on Kerberos support for go-mssqldb. I am trying to understand how I can integrate with gokrb5. MSSQL supports SPNEGO mechanism, so I think I would use gssapi.GetSPNEGOKrbNegTokenInit(creds, tkt, key).Marshal() function to generate initial SPNEGO packet and send it to server. MSSQL server will respond with NegTokenResp which I can parse with gssapi.Unmarshal. Now I can check negState field and if it has accept-completed or reject values I can act accordingly, but I don't know what to do if I get accept-incomplete or request-mic values, can you provide some guidance?

denisenkom avatar Aug 12 '18 00:08 denisenkom

hey @jcmturner , any thoughts? any help would be appreciated.

keith6014 avatar Aug 17 '18 13:08 keith6014

any thoughts @jcmturner ?

keith6014 avatar Aug 31 '18 23:08 keith6014

I've not had any time to look at this one yet. Have you had any input from the owner of go-mssqldb?

jcmturner avatar Sep 01 '18 09:09 jcmturner

Hi @jcmturner, I am the owner of go-mssqldb. Please see my comment on same thread: https://github.com/jcmturner/gokrb5/issues/125#issuecomment-412310578

denisenkom avatar Sep 01 '18 16:09 denisenkom

@denisenkom I've been reading up on the negotiation mechanism again to refresh my memory.

When using the GetSPNEGOKrbNegTokenInit function the init message generated will only specify one mechanism (krb5) and will also include the krb5 authentication token in the initial message. When this is included you should not expect to see accept-incomplete response as this is returned when the negotiation of the mechanism has been agreed but the auth token not yet passed. Therefore I think you can code to not expect to see this response and error gracefully if just in case you do.

As for the request-mic response I have not implemented handling of MIC tokens as described at https://tools.ietf.org/html/rfc4178#section-5. Is this needed for AD integrated auth in MSSQL?

jcmturner avatar Sep 10 '18 21:09 jcmturner

@denisenkom how are you doing? does @jcmturner suggestion help?

keith6014 avatar Sep 20 '18 15:09 keith6014