unix version of gssmaggot source code uploaded

Coordinator
Jun 15, 2007 at 8:44 PM
unix version published earlier on this site doesn't compile because gssapi.c is missing.

This is a compilable version with our latest changes in files shared by vs2005 project.

It has been compiled using gcc (GCC) 4.0.0 20050519 (Red Hat 4.0.0-8) on Fedora Core 4 with MIT Kerberos 1.5:

make -f makefile.linux.mitkrb5
Jun 21, 2007 at 8:05 PM
Edited Jun 21, 2007 at 8:06 PM
Hi,
Thanks for the update; just a bit useful for Linux support!

I hit a build error when trying to build under Debian Etch (va_list isn't a directly assignable type, __va_copy has to be used if it's #define'd), and a makefile error under MacOS X ("-ogssmaggot" is invalid syntax; has to be "-o gssmaggot"). I've also added a command line flag to enable debugging output at runtime even if HAVE_DEBUGLIB isn't defined. Would patches for any of the above be useful?

Also, is anyone able to actually run this code and have it work against a Windows gssMaster instance? I'm currently unable to; both sides just sit idle forever until I close gssmaggot on the Linux side. This causes the warnings "Failed to receive ProtocolVersion (4 bytes): 0x0" and "Cannot send Get Version And Caps request: 0x0" to show up from gssMaster; gssMaster then exits. gssMaggot under Windows compiles and runs just fine against the same gssMaster instance.

Thanks,
Adam
Coordinator
Jun 21, 2007 at 10:26 PM
Hi Adam,

Thank you for the feedback.

The compilation issues you reported will (hopefully) be addressed in next upload. Please be informed that our support on non-windows version will continue to be minimal. We assume some DIY work from end users. :)

Can you provide the command line as well as its output (from both gssmaggot and gssmaster) so that I can better undersand your problem?

Thanks,

Yi
Jun 21, 2007 at 11:24 PM
Edited Jun 22, 2007 at 12:02 AM
Hi Yi,

"non-windows support": Sure, makes sense. I'm planning to do a fair bit of work with the non-Windows version; just trying to see if it'd be useful for me to submit any generally-useful patches that I end up adding.

"command-line as well as its output": Here you go:

gssMaster (Windows XP, joined to a Windows 2003 Server domain):
"""{"C:\Documents and Settings\adam\Desktop\release\release>gssmaster /slaves [slave fqdn]:904 /principals test@[Windows Domain]:[test user's password] /test flagcombos +noisy
netutil.c:202 WarningFailed to receive ProtocolVersion (4 bytes): 0x0
clientio.c:365 WarningCannot send Get Version And Caps request: 0x0
"}"""


gssMaggot (Debian Etch Linux; can kinit as users on the Windows 2003 Server):
"""{"
$ sudo ./gssmaggot /spn adam/slave fqdn.Windows Domain
adam/slave fqdn.Windows Domain has no '@' symbol. If exercising cross-realm trust, make sure the other realm(s) can locate this service.
./gssmaggot starting on port 904...
"}"""

gssMaggot immediately displays the output above when I execute it, then both sit there indefinitely. gssMaster gives no output until I hit "Ctrl-C" on gssMaggot to close it. Then it displays the output shown above.

(there are a number of omitted blocks above, as both machines are visible outside of their local subnet; I'd be glad to send them to you personally if that'd be useful but I don't really want them posted forever on an Internet forum...)

Thanks,
Adam
Coordinator
Jun 25, 2007 at 7:17 PM
Hi,

I was unable to exactly repro the problem locally. but I'd speculate this is a communication issue due to setup. there are two typical possibilities:

(1) firewall issue.
Make sure gssmaggot/gssmaster traffic are not blocked by Debian or Windows XP.

(2) IP version issue.
gssmaggot/gssmaster both work on IPv6/IPv4. However, it requires that both sides to use the same version to communicate. This is not always satisfied on dual stack machine. Internally, gssmaggot/gssmaster picks up the first available IP version (primary version) returned by getaddrinfo. Communication may fail for reasons like (1) both sides have dual stack but use different primary version, or (2) one side uses IPv6 but the other side uses IPv4

To direct gssmaggot/gssmaster to use a specific IP version, you can specify environmental variable before starting up gssmaggot/gssmaster:

setting "PreferredNetIOAddressFamily=INET" asks for IPv4
setting "PreferredNetIOAddressFamily=INET6" asks for IPv6

As XP doesn't support IPv6, if your debian supports IPv6, you need to direct the gssmaggot to use IPv4 to get them to talk.

Thanks,

yizeng
Jun 26, 2007 at 9:38 PM
Hi,

Thanks for the suggestions. This did help me fix a problem with testing using Windows Vista, which I started yesterday.

Unfortunately, this doesn't seem to fix the problem with my Linux machine. An added bit of information, though: I've added a second Linux machine to my system; the first was Debian Etch amd64, and the new one is Debian Etch i386. I'm able to establish a connection with the new i386 machine where I apparently can't with the amd64 one.

Two other related questions: First, I can connect to the Linux i386 install, but all tests fail. I'm assuming this is because my setup is all wrong. Any chance that some Linux documentation will be coming out with the next release?

Second: It would be nice to be able to test using IPv6 under Windows XP. It's possible to install the IPv6 protocol as of some version of XP prior to SP2; I've tried doing so, but gssmonger doesn't want to use it. Would you expect this to ever work?, or should I stick to IPv4?

Thanks,
Adam
Coordinator
Jul 2, 2007 at 6:37 PM
Hi Adam,

Sorry for the late reply. Thank you very much for reporting these issues.

>>> I'm able to establish a connection with the new i386 machine where I apparently can't with the amd64 one.
This is lack of test coverage. We will prioritize to investigate this issue. but it wouldn't happen before we publish amd64 version vs2005 project for gssmonger.

>>> It would be nice to be able to test using IPv6 under Windows XP. It's possible to install the IPv6 protocol as of some version of XP prior to SP2; I've tried doing so, but gssmonger doesn't want to use it. Would you expect this to ever work?, or should I stick to IPv4?
This is lack of test coverage too. Please stick to IPv4 for now. we will investigate this issue soon.

>>> I can connect to the Linux i386 install, but all tests fail. I'm assuming this is because my setup is all wrong. Any chance that some Linux documentation will be coming out with the next release?
Are you looking for something that is specific to interop test setup on Linux, or on Windows as well? We shall be able to provide some documentation on test setup in our next upload. To quick resolve your setup issue, you can post your log here (after removing any sensitive information you don't want to expose).

Thanks,

Yi Zeng
Jul 6, 2007 at 1:53 AM
Hi,
Sorry for my own delay in replying. I've moved my test setup to behind a NAT using test machines, so I don't have to worry so much about private information.

My log is too big to paste into this textbox, and I don't see a way to attach a file. I've posted the log at http://web.mit.edu/aseering/Public/gssMonger/gssMonger.log.xml; I'm glad to upload another copy here if there's a useful way to.

Thanks,
Adam
Jul 6, 2007 at 7:29 PM
Hi again,
Another question for you, actually: I'm working on porting gssMaster to Linux, so I can run tests from both Linux and Windows computers. I've gotten the gssMaster code to compile under Linux, but it won't link because the ezlog library is unavailable for Linux. Is there any chance that it could be released (either in source or useful binary form; though source would be most useful for me)?

Thanks,
Adam
Coordinator
Jul 6, 2007 at 11:57 PM
>>> http://web.mit.edu/aseering/Public/gssMonger/gssMonger.log.xml;

LevelName="Info"> 192.168.18.131: gssinitsec_context returned 0xd0000 (0x96c73a07): Miscellaneous failure minor:Server not found in Kerberos database </MSG>

it seems the service principal is not configured correctly on the MIT KDC. You should be able to see which service principal was requested but missing by checking out the /var/log/krb5kdc.log. then "klist -k" to see if the service principal is really in /etc/krb5.keytab.

Thanks,

Yi Zeng
Coordinator
Jul 7, 2007 at 12:14 AM

>>> Another question for you, actually: I'm working on porting gssMaster to Linux, so I can run tests from both Linux and Windows computers. I've gotten the gssMaster code to compile under Linux, but it won't link because the ezlog library is unavailable for Linux. Is there any chance that it could be released (either in source or useful binary form; though source would be most useful for me)?

there are bunch of libraries that windows gssmaster uses. They are not part of gssmonger so not going to be published in source code form. We don't have any plan to compile them into any non-windows libaries either. So the only choice is running gssmaster on windows unless you implement those libraries on your own. Please also note that running gssmonger on windows should not prevent you from doing any test againt Linux. gssmaster is a control program which coordinates communications among gssmaggots. platform dependent operation are supposed to be implemented on gssmaggot.

Thanks,

Yi Zeng
Jul 7, 2007 at 1:57 AM
Edited Jul 7, 2007 at 2:01 AM

it seems the service principal is not configured correctly on the MIT KDC. You should be able to see which service principal was requested but missing by checking out the /var/log/krb5kdc.log. then "klist -k" to see if the service principal is really in /etc/krb5.keytab.


That seems like a plausible explanation. However, I'm not actually using an MIT KDC, I'm using an Active Directory server. I can check the keytab, but I've had bad luck with Active Directory Kerberos principals not being available to gssMonger even if I can kinit as them. Do you have any suggestions (or pointers to relevant documentation or equivalent logs under Windows)?



there are bunch of libraries that windows gssmaster uses. They are not part of gssmonger so not going to be published in source code form. We don't have any plan to compile them into any non-windows libaries either. So the only choice is running gssmaster on windows unless you implement those libraries on your own. Please also note that running gssmonger on windows should not prevent you from doing any test againt Linux. gssmaster is a control program which coordinates communications among gssmaggots. platform dependent operation are supposed to be implemented on gssmaggot.


Well, we have some heavy Linux users here and I'm integrating into an existing test setup, so unfortunately running gssMaster on a Windows machine doesn't look like a feasible long-term solution for us... Thanks anyway; I'll probably reimplement ezlog on top of some existing logger library.

Thanks,
Adam
Coordinator
Jul 9, 2007 at 6:14 PM
>>> However, I'm not actually using an MIT KDC, I'm using an Active Directory server.
Windows AD or a different implementation of AD? If it is a windows AD, can you describe the scenario (setup) a little bit? A network capture can be also helpful for you to diagnose.

>>>I'll probably reimplement ezlog on top of some existing logger library.
I am happy to see porting gssMaster to Linux. Just a friendly reminder, it would be preferred if you can maintain source code compatibility b/w windows and Linux (like gssmaggot) so that we will have a common release of gssMaster which is successfully built on both systems.

Thanks,

Yi Zeng
Jul 11, 2007 at 7:54 PM
Hi,
I haven't yet had a chance to set up and examine a network capture usefully, so, responding to your other questions:

It's Windows AD, as served by Windows 2003 Server. It's a test setup; I currently have two Windows clients joined to it as a domain, and I've set up a Linux client s.t. I can do "kinit $USER" with $USER being any AD user on the server. I've set up a keytab on the Linux client with what I think are the correct principals for this test. (to date I've only succeeded in testing Windows<->Windows with an Win2003 AD server; Windows automatically does enough Kerberos configuration when one joins a Windows client to an AD domain that I'm not really certain which configuration steps need to be taken on other OS'es.)

I'll definitely target source code compatibility with the Windows version of gssMaster; I'm trying to follow gssMaggot's cross-platform-support style where possible. I am linking against a handful of common third-party libraries (ie., glib, log4c; currently, all are licensed under the LGPL), which gssMaggot doesn't do; would you possibly want to distribute the cross-platform gssMaster from here?, and if so, would this cause any problems (licensing or otherwise)?

Thanks,
Adam
Coordinator
Jul 12, 2007 at 11:41 PM
>>>I've set up a keytab on the Linux client with what I think are the correct principals for this test.
As I read, the linux box is running as a server in AD domain. To be able to auth the service on the linux box in this case, the AD needs to share its secret. typeical setup steps are:
1. create a computer account (e.g., LinuxBox) representing the linux box in the AD (e.g., WINDOWS.DOMAIN)
2. Register an SPN with the account, set its password and export the secret into a keytab file:
ktpass /mapuser LinuxBox$ /princ host/linuxbox.windows.domain@WINDOWS.DOMAIN /pass <password> /mapop set /ptype KRB5NTSRV_HST /out <keytab file> +DesOnly /crypto DES-CBC-MD5 +setpass
3. transfer <keytab file> to the linux box and use ktutil to import into local keytab file.

>>>would you possibly want to distribute the cross-platform gssMaster from here?, and if so, would this cause any problems (licensing or otherwise)?
We want gssmonger as a collaborated project accesssible externally. That is why is this project on this site. We've put License in all the source files we've released. No problem should occur as long as the license is enforced.

Jul 19, 2007 at 7:48 PM
Sorry again for the delay, I had some trouble with our test server.

>>> typeical setup steps are:
I tried creating such a computer account and running the command that you specified, but the command returns:
DsCrackNames returned 0x2 in the name entry for LinuxBox$.
ktpass:failed getting target domain for specified user.

I tried creating users named "debian-dev" (the hostname of my main Linux text box) and "LinuxBox", and altering the command that you posted accordingly; the error message was the same for both (except "LinuxBox$" became "debian-dev$").

Any thoughts?
Jul 24, 2007 at 10:44 PM
Hi again,

I've done some more looking and playing; I'm now looking at a stream of "Pass"'s from a test log against Linux. So, it does actually seem to work now. Thanks!

I did some Web searching based on your instructions; this led me to http://support.microsoft.com/kb/324144. I was creating a Computer account and not a User account, and invoking ktpass slightly differently; with these instructions, I got a working keytab and was fairly quickly able to run tests.

Thanks,
Adam
Aug 7, 2007 at 7:27 PM
Hi once again,

For creating the Linux port of gssmaster, I have a version that compiles and launches, but refuses to run: It connects to the maggot and then just sits there; both sides stall waiting for the other to transmit some piece of data. I thought that it was failing because of a mistake on my part, but I've been able to reproduce the problem under Windows: The exact same thing happens if I run gssmaster on my WinXP test machine while logged into a local account, instead of a domain account.

I'm assuming this is a Kerberos configuration issue again. Do you happen to know what things gssmaster requires of a Kerberos setup, that gssmaggot doesn't?

Thanks,
Adam
Developer
Feb 19, 2009 at 9:48 PM
So, in preparation for the upcoming interoperability testing session, I've been taking a look at the gssmonger code.  Unfortunately we haven't done much with it since Adam's work in 2007, and in past interop sessions I've been mostly on the periphery -- around in case some debugging help was needed -- and not heavily involved in actually running gssmaster and reviewing results.  But, I'm making some progress...

I found a bug in some of the select() handling, in the version Adam was working on here at MIT.  With that fixed, and a few other tweaks, the Mac-hosted gssmaster talks to the maggots and runs to completion (using an MIT KDC, and two UNIX maggots).

Now I just have to figure out how to make sense of the output. :-)

I'm also seeing it run to completion with a Windows host running the master, not attached to a domain.  Adam was seeing problems with running the master from non-domain accounts on XP, but I don't see how anything I've changed would relate to whether the invoking account was a domain account.  (Maybe the issue was non-domain accounts on machines attached to a domain?)

Anyways... now I'm looking over the raw output files (XML on Windows, text on UNIX) to figure out if things are working well, and I'll be trying to familiarize myself with the usage of the master and how tests are written....

Do you have any scripts or programs for turning the XML into some more human- or browser-digestible form?  (Preferably not tied to viewing it with IE.)
Developer
Feb 24, 2009 at 1:09 AM
I've also improved the performance a little on the UNIX (Mac) side.  The code was running afoul of the usual Nagle/delayed-ack issue.  I didn't collect any timing data on the Windows side to see if it made a difference there.
Developer
Mar 2, 2009 at 6:53 PM
Edited Mar 2, 2009 at 7:01 PM
Just to make the information complete here...  JeremyV has attached ezlog.xslt and gssMonger.doc to the front page at http://gssmonger.codeplex.com/ .  The XSLT file works in IE, Safari, and Firefox, at least, and gives you nice color-coded listings of the results.