Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'ccache.get_tgs' called with 'strict=False' prevents using ccache with other TGS #43

Open
CravateRouge opened this issue Nov 30, 2024 · 1 comment
Open

'ccache.get_tgs' called with 'strict=False' prevents using ccache with other TGS #43

CravateRouge opened this issue Nov 30, 2024 · 1 comment

Comments

@CravateRouge
Copy link
Contributor

CravateRouge commented Nov 30, 2024
edited
Loading

I understand the strict=False mode which can be very convenient in get_tgs to use a tgs ticket even if the name is wrong but the ticket is actually valid for the target:

minikerberos/minikerberos/common/ccache.py

Line 642 in 45d701f

def get_tgs(self, spn:KerberosSPN, strict:bool=False):

However, it shoudn't be called in core functions without being able to provide a strict=True option such as in tgs_from_ccache called by get_TGS:

minikerberos/minikerberos/aioclient.py

Line 390 in 45d701f

tgs, keystruct, err = self.ccache.get_tgs(spn_user)

This leads to not being able to use a ccache with other TGS even if there is a valid TGT inside, here is an example to understand better:

$ klist MAIN.bloody.corp.ccache
Ticket cache: FILE:MAIN.bloody.corp.ccache
Default principal: [email protected]

Valid starting       Expires              Service principal
11/30/2024 07:46:56  11/30/2024 17:46:56  krbtgt/[email protected]
11/30/2024 07:46:56  11/30/2024 17:46:56  ldap/[email protected]

$ python3 msldapclient.py -v 'ldap+kerberos-ccache://tree2.lab\jane:[email protected]/?serverip=192.168.100.3&dc=192.168.100.4&dcc=192.168.100.3&realmc=bloody.corp' 'login' 
2024-11-30 07:52:08,039 msldap       DEBUG    ==== UniCredential ====
domain: tree2.lab
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f19efddd910>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

DEBUG:msldap:==== UniCredential ====
domain: tree2.lab
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f19efddd910>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

2024-11-30 07:52:08,039 msldap       DEBUG    ==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: tree2.lab
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

DEBUG:msldap:==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: tree2.lab
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

2024-11-30 07:52:08,056 msldap       DEBUG    Connecting!
DEBUG:msldap:Connecting!
2024-11-30 07:52:08,062 msldap       DEBUG    Connection succsessful!
DEBUG:msldap:Connection succsessful!
2024-11-30 07:52:08,063 msldap       DEBUG    BIND in progress...
DEBUG:msldap:BIND in progress...
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    Flags: 48
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    SPN: ldap/[email protected]
2024-11-30 07:52:08,064 asyauth.kerberos DEBUG    CCACHE SPN record: krbtgt/[email protected]
2024-11-30 07:52:08,065 asyauth.kerberos DEBUG    CCACHE SPN record: ldap/[email protected]
silver@debianos:/mnt/hgfs/bloodyAD-dev$  cd /mnt/hgfs/bloodyAD-dev ; /usr/bin/env /bin/python3 /home/silver/.vscode/extensions/ms-python.debugpy-2024.12.0-linux-x64/bundled/libs/debugpy/adapter/../../debugpy/launcher 34279 -- /home/silver/.local/lib/python3.11/site-packages/msldap/examples/msldapclient.py -v 'ldap+kerberos-ccache://bloody.corp\jane:[email protected]/?serverip=192.168.100.3&dc=192.168.100.4&dcc=192.168.100.3&realmc=bloody.corp' 'login' 
2024-11-30 07:54:36,182 msldap       DEBUG    ==== UniCredential ====
domain: bloody.corp
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f3bb24f99d0>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

DEBUG:msldap:==== UniCredential ====
domain: bloody.corp
username: jane
secret: MAIN.bloody.corp.ccache
stype: CCACHE
protocol: KERBEROS
subprotocol: <asyauth.common.subprotocols.native.SubProtocolNative object at 0x7f3bb24f99d0>
etypes: [23, 17, 18]
altname: None
altdomain: None
target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.4

certdata: None
keydata: None
cross_target: ==== UniTarget ====
hostname: None
port: 88
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.3
domain: None
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3

cross_realm: bloody.corp
dh_params: {'p': 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007, 'g': 2}

2024-11-30 07:54:36,183 msldap       DEBUG    ==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: bloody.corp
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

DEBUG:msldap:==== MSLDAPTarget ====
hostname: main.bloody.corp
port: 389
protocol: UniProto.CLIENT_TCP
timeout: 5
ssl_ctx: None
dc_ip: 192.168.100.4
domain: bloody.corp
dns: None
use_privileged_source_port: False
proxies: []
ip: 192.168.100.3
tree: None
ldap_query_page_size: 1000
ldap_query_ratelimit: 0

2024-11-30 07:54:36,197 msldap       DEBUG    Connecting!
DEBUG:msldap:Connecting!
2024-11-30 07:54:36,201 msldap       DEBUG    Connection succsessful!
DEBUG:msldap:Connection succsessful!
2024-11-30 07:54:36,201 msldap       DEBUG    BIND in progress...
DEBUG:msldap:BIND in progress...
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    Flags: 48
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    SPN: ldap/[email protected]
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    CCACHE SPN record: krbtgt/[email protected]
2024-11-30 07:54:36,202 asyauth.kerberos DEBUG    CCACHE SPN record: ldap/[email protected]
2024-11-30 07:55:41,256 asyauth.kerberos DEBUG    Got TGS from CCACHE!
2024-11-30 07:55:41,256 asyauth.kerberos DEBUG    TGS: OrderedDict([('pvno', 5), ('msg-type', 11), ('padata', None), ('crealm', 'TREE2.LAB'), ('cname', OrderedDict([('name-type', 1), ('name-string', ['jane'])])), ('ticket', OrderedDict([('tkt-vno', 5), ('realm', 'TREE2.LAB'), ('sname', OrderedDict([('name-type', 2), ('name-string', ['ldap', 'dctree1.tree2.lab'])])), ('enc-part', OrderedDict([('etype', 18), ('kvno', 3), ('cipher', b'\xc5\x88\xfc\xc8\xc0\xf3%\x1a\xf0\x94\xe0\xa5\xd3\x88\'\x12\xedC\x15z2!\x8d&\xfd5\x90\xa5\x1cF \x14)bm\xe61\x014\x12\x97\xfbD`>\x1a\xe6\xe1Il\x85\xad\xdeT\xc6.\x12\xbfRK&\x9cJ5\xf0l\xca\xbe\xa1\x82\xec\xb4\x8dW\xa8\xe5q\xb3K\xec\xde \x0b\x9b\n-\xf5fP\xf7\xbb\x9d`\xaa|\xef5\x07L)t\xa4\xb4\x04\xe6.\xa2\xf3\'\xcd\xa7\xfb\x04`\x1fr\x17\xd5Au\x05!\xa9\x9f\x01\xc7\xa0\x97\x98r\xd0\xae\x13}\x03\x9fzq;]cHKN\x13\xbd$\xe3\xf2-O\xa2\xe2\x1eu\xee2cb\x9d\xb52\xddI\xaeO\xcc\xbf\xd4\x9a\'\n`\xd4\xc5\xa8v\xd2SO*\xf8\xca\xc9\xc1\x07c\xd5\x0c3\xa8\xf6\xba\xa6\x8c\x1e\xe7\xa8\x86\x0f\xc2iG\xbe3\r\xd0\x07]\xfc-\n*\xe8\x9fY\xe2\xef\xda\x82\x9e\x87\x8f?yz\xfco\xf3d\xcf\xcbI\x9c:\xb687f\xa5\rf\xc3\x00\xd2P\xa9\xef\x1aMuN\x82^\xae<\xc7\xd2\xfdM\xc9\x80\x00\xec\xb7\rP$\x1cf=\x06\xa6[Dol\xf2V\xcc\xf7\xf3\xbdq\xa7.\x963\xa5x+\\,\xfe\xe1`x4\xff\xd2\xdd?\xae\xbe\x05\x84\xf2\xac\x87\xd8\xcc\x1e\xa81\xaedt1\x10\x88\x81\x81\x9cp0\xec\x856\xfe\x90\xe7Y}\x96\xc7k)`~\x8a\x02VEmn\x03)\xd3\xe6H\xac\x0e*y\xacd\xd2\xa5%\xaa\xf9\x8f*\x1fh\x87\x8ff$\xf2\xcfI\xc7\xb4\xfb\xca\x93FN\xd3\x18\xc3\x07\xd3\xee\xe8B*\xb88\xf1\xbe\xff\xb0X\xa8\xd2s,\xa8n\xda\\\x8e\xc4\x08\xab\x8dn+j}@\xa8\xac\x13\x8au\xed\xa4X\xcaL\r\x0eC\xbb\xc5\xa8\x01\xbb\x8an\x87\xa8\x1c\xbd\rZAJ\xa9\xcf\xf6\xa0\xfb:\xaf\x94\xff\xda\xb5\x9f#\xa2\xfb\x14\xfc\x06\xae\xb5\xf9\x05u\xa6\xe29\xff\xf2y\xc2\xa8\xd8\xb2\xf0$V/y:+"\xc0\xe5m%\xe0}\x85\xc60d\xdaA6\x8e\n\xc2o\x8d\xf6QG\xd8\x9d\x18\x81\xbd\xb5\x0e\xff\xaf\xa2\'\xd9\xc7:\xab\xd9\x02,\xbf\xabE\x18 \x1e+\x05M\x1c\xfaI#\xa7\xc9T\x07K\x83[\xd4\x98\xab\xbdg\x88\x16\x01L\xa3\x88g<2\x83\x97\xf8=A\xd6\xf3\xc7{\xdc4\xf7\x04\xcdwa\x96\x1f\xba\xe7\x85\x95n\xf1!N\xaf9\xb5A\x1e\xc7\x87\xeb\xe1\x04=\x99k\x92A\xac\x8f \x14\xc1\xce\\g\xc3\xb8\x93Q\xfc\xad\xec\x19=D\x08\x16\xad\xac\xe3\x7f\xe3w"\xa6\x8d@H\x08\xbd_\xf5\xbd\xd3\x94\xd0\x0e\xbd\x85a\x15G\xe6V\xf2\xb0\t\x98\xef\xfb/c\xf8\x99\xb8\xb5\xee0\xc9RA!:\x19M\x00\x0bc\x0c{~\xe3\xa3B\x80y*MgD~\x15\xc9C\xef\xa3\xee\xd5x\x91\xb2\xf6\x8b*\xf4\x98\xc0\x93U/L)\xf1\x82\xc3;\xcb\xe0o\x8aLD"\x8aG\xb4\xe14W\xa1T\x8a\x8d\xf2\xc8\x8e\xb1\xd6X\xb3\xe2\x8d\x80?J^f\xc5\xea\xcd\x17;\x1a\x07\xd0UY"\x94\x00Jw >\xda3\x9bLu\xdd5d\xa4&y~\xdb\x94]\xbe\xfa&\xde\xc6&&\xef\xdfmQ\xe4B<\xb3?l\xdeG\xf4\xf0\xb7\x02\xc6\xf46$\x92\xdah\xda\xf2V\xae$8\x03\x13\x06\xb1\\/\xe3\xbf8\x12\x836\x81\xb0\x13`L\xfd"\xd6\xe9|\xce\x7fk\r\xb0\xd6\xc0;\xa3\nw]\x11-\xc3x\xfb\xe7#\x10\xa7/4\xda\x9a\x87B\xcf\xe5\xfa\xaa\xf5B\x1a\xcc\xf3D\x99\x89\x0c3s(r\xb5\x85n#9N5\x08\xb5\xf0\xc0\xaf\x8a&\xc6\xbd`\x0f\x99\xc9\xbd`\xf7\xac\xd6\x1c\xfe\xf2\x83g\xd6\xb8\xc1\xb0\x871\xa6Q\xf5\x1e\xb1\t\x0e\x8fa^\xab\xdeT?\xbe\xeet\x94\xc1\x0c\xfb+\xc0\xcd\xfbD\x88\xcb\xf0\x80I\x1b8\xdf\x8e\xae\x00\xc9\x1b\x107\xa1b\xae\x9e\xbaP\xd3\xba\xa4\xe4\xb5\rc)\xbd\xb3\xcf\x02|_\\xny\x89\xa6AG\x91\x95\x92')]))])), ('enc-part', OrderedDict([('etype', 1), ('kvno', None), ('cipher', b'')]))])
2024-11-30 07:55:41,257 asyauth.kerberos DEBUG    encpart: OrderedDict([('etype', 1), ('kvno', None), ('cipher', b'')])
2024-11-30 07:55:41,257 asyauth.kerberos DEBUG    session_key: Key(23, 4594ded5eea8f2fa7cd2163ce26ccd86)
2024-11-30 07:55:41,264 asyauth.kerberos DEBUG    APREQ constructed: b'n\x82\x04\xdb0\x82\x04\xd7\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x0e\xa2\x03\x03\x01\x00\xa3\x82\x04,a\x82\x04(0\x82\x04$\xa0\x03\x02\x01\x05\xa1\x0b\x1b\tTREE2.LAB\xa2$0"\xa0\x03\x02\x01\x02\xa1\x1b0\x19\x1b\x04ldap\x1b\x11dctree1.tree2.lab\xa3\x82\x03\xe80\x82\x03\xe4\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x03\xa2\x82\x03\xd6\x04\x82\x03\xd2\xc5\x88\xfc\xc8\xc0\xf3%\x1a\xf0\x94\xe0\xa5\xd3\x88\'\x12\xedC\x15z2!\x8d&\xfd5\x90\xa5\x1cF \x14)bm\xe61\x014\x12\x97\xfbD`>\x1a\xe6\xe1Il\x85\xad\xdeT\xc6.\x12\xbfRK&\x9cJ5\xf0l\xca\xbe\xa1\x82\xec\xb4\x8dW\xa8\xe5q\xb3K\xec\xde \x0b\x9b\n-\xf5fP\xf7\xbb\x9d`\xaa|\xef5\x07L)t\xa4\xb4\x04\xe6.\xa2\xf3\'\xcd\xa7\xfb\x04`\x1fr\x17\xd5Au\x05!\xa9\x9f\x01\xc7\xa0\x97\x98r\xd0\xae\x13}\x03\x9fzq;]cHKN\x13\xbd$\xe3\xf2-O\xa2\xe2\x1eu\xee2cb\x9d\xb52\xddI\xaeO\xcc\xbf\xd4\x9a\'\n`\xd4\xc5\xa8v\xd2SO*\xf8\xca\xc9\xc1\x07c\xd5\x0c3\xa8\xf6\xba\xa6\x8c\x1e\xe7\xa8\x86\x0f\xc2iG\xbe3\r\xd0\x07]\xfc-\n*\xe8\x9fY\xe2\xef\xda\x82\x9e\x87\x8f?yz\xfco\xf3d\xcf\xcbI\x9c:\xb687f\xa5\rf\xc3\x00\xd2P\xa9\xef\x1aMuN\x82^\xae<\xc7\xd2\xfdM\xc9\x80\x00\xec\xb7\rP$\x1cf=\x06\xa6[Dol\xf2V\xcc\xf7\xf3\xbdq\xa7.\x963\xa5x+\\,\xfe\xe1`x4\xff\xd2\xdd?\xae\xbe\x05\x84\xf2\xac\x87\xd8\xcc\x1e\xa81\xaedt1\x10\x88\x81\x81\x9cp0\xec\x856\xfe\x90\xe7Y}\x96\xc7k)`~\x8a\x02VEmn\x03)\xd3\xe6H\xac\x0e*y\xacd\xd2\xa5%\xaa\xf9\x8f*\x1fh\x87\x8ff$\xf2\xcfI\xc7\xb4\xfb\xca\x93FN\xd3\x18\xc3\x07\xd3\xee\xe8B*\xb88\xf1\xbe\xff\xb0X\xa8\xd2s,\xa8n\xda\\\x8e\xc4\x08\xab\x8dn+j}@\xa8\xac\x13\x8au\xed\xa4X\xcaL\r\x0eC\xbb\xc5\xa8\x01\xbb\x8an\x87\xa8\x1c\xbd\rZAJ\xa9\xcf\xf6\xa0\xfb:\xaf\x94\xff\xda\xb5\x9f#\xa2\xfb\x14\xfc\x06\xae\xb5\xf9\x05u\xa6\xe29\xff\xf2y\xc2\xa8\xd8\xb2\xf0$V/y:+"\xc0\xe5m%\xe0}\x85\xc60d\xdaA6\x8e\n\xc2o\x8d\xf6QG\xd8\x9d\x18\x81\xbd\xb5\x0e\xff\xaf\xa2\'\xd9\xc7:\xab\xd9\x02,\xbf\xabE\x18 \x1e+\x05M\x1c\xfaI#\xa7\xc9T\x07K\x83[\xd4\x98\xab\xbdg\x88\x16\x01L\xa3\x88g<2\x83\x97\xf8=A\xd6\xf3\xc7{\xdc4\xf7\x04\xcdwa\x96\x1f\xba\xe7\x85\x95n\xf1!N\xaf9\xb5A\x1e\xc7\x87\xeb\xe1\x04=\x99k\x92A\xac\x8f \x14\xc1\xce\\g\xc3\xb8\x93Q\xfc\xad\xec\x19=D\x08\x16\xad\xac\xe3\x7f\xe3w"\xa6\x8d@H\x08\xbd_\xf5\xbd\xd3\x94\xd0\x0e\xbd\x85a\x15G\xe6V\xf2\xb0\t\x98\xef\xfb/c\xf8\x99\xb8\xb5\xee0\xc9RA!:\x19M\x00\x0bc\x0c{~\xe3\xa3B\x80y*MgD~\x15\xc9C\xef\xa3\xee\xd5x\x91\xb2\xf6\x8b*\xf4\x98\xc0\x93U/L)\xf1\x82\xc3;\xcb\xe0o\x8aLD"\x8aG\xb4\xe14W\xa1T\x8a\x8d\xf2\xc8\x8e\xb1\xd6X\xb3\xe2\x8d\x80?J^f\xc5\xea\xcd\x17;\x1a\x07\xd0UY"\x94\x00Jw >\xda3\x9bLu\xdd5d\xa4&y~\xdb\x94]\xbe\xfa&\xde\xc6&&\xef\xdfmQ\xe4B<\xb3?l\xdeG\xf4\xf0\xb7\x02\xc6\xf46$\x92\xdah\xda\xf2V\xae$8\x03\x13\x06\xb1\\/\xe3\xbf8\x12\x836\x81\xb0\x13`L\xfd"\xd6\xe9|\xce\x7fk\r\xb0\xd6\xc0;\xa3\nw]\x11-\xc3x\xfb\xe7#\x10\xa7/4\xda\x9a\x87B\xcf\xe5\xfa\xaa\xf5B\x1a\xcc\xf3D\x99\x89\x0c3s(r\xb5\x85n#9N5\x08\xb5\xf0\xc0\xaf\x8a&\xc6\xbd`\x0f\x99\xc9\xbd`\xf7\xac\xd6\x1c\xfe\xf2\x83g\xd6\xb8\xc1\xb0\x871\xa6Q\xf5\x1e\xb1\t\x0e\x8fa^\xab\xdeT?\xbe\xeet\x94\xc1\x0c\xfb+\xc0\xcd\xfbD\x88\xcb\xf0\x80I\x1b8\xdf\x8e\xae\x00\xc9\x1b\x107\xa1b\xae\x9e\xbaP\xd3\xba\xa4\xe4\xb5\rc)\xbd\xb3\xcf\x02|_\\xny\x89\xa6AG\x91\x95\x92\xa4\x81\x950\x81\x92\xa0\x03\x02\x01\x17\xa2\x81\x8a\x04\x81\x87\x0bM5\x98x\x11\xf2\xf7b\x16]\xf9.\xe5:KSt\'\xaa\x7f\xd3\x9b\\\xcb\xae}8^\x90\x8ew\x12\xfb\r5\x01\x07\xdaFD\x97\x0e+\xa6@\xcd\xa8\xb1\xa1\xb9I\x03\x15\x82A\x982)\xe7_\x87#\xe56\xf9\xc0\x1d\xc7\xa9\xc0+\x94S\x0el\xf6\xe3\xc3\x82\x93d\x12\x8e\r\x06\x9e\xa9\xfe\x06\xb7\xb4h\x8f\x7f"\xf5\xdf\x1a\x9dz/n\xc0q|O\xf5\x85\x90\x92\xed\xbb\x91\xe1\xae\xb8f\xec\x15x\x8e\xf4D%^u\xc9\xe8\xe5\xc9\xfd\xb9\x17e'
Traceback (most recent call last):
  File "/home/silver/.local/lib/python3.11/site-packages/msldap/examples/msldapclient.py", line 90, in do_login
    raise err
msldap.commons.exceptions.LDAPBindException: LDAP Bind failed! Result code: "invalidCredentials" Reason: "b'8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4f7c\x00'"

msldap is calling authenticate from asyauth.native which calls get_TGS which will call tgs_from_ccache which will not find any valid service ticket but will return the ldap/[email protected] because it's always non-strict and will try to auth with it instead of using the TGT to retrieve a referral ticket and then the right service ticket.

I think it would be good to provide a strict argument in parents functions, or let the user provide a strict=True parameter in the connection URL.

What do you think? I can provide the PR.
@skelsec
Copy link
Owner

skelsec commented Jan 1, 2025

yeah, that totally makes sense. the strict parameter was introduced waaaay back when debugging SMB kerberos auth, but I did not followed up since

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CravateRouge @skelsec