It should be possible to support server side delegation using the ImpersonateSecurityContext and RevertSecurityContext functions in SSPI.

https://docs.microsoft.com/en-us/windows/desktop/api/sspi/nf-sspi-impersonatesecuritycontext
https://docs.microsoft.com/en-us/windows/desktop/api/sspi/nf-sspi-revertsecuritycontext
https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/context-requirements

The API work to match ccs-pykerberos:

• Add support for the "delegated" param to authGSSClientInit
• Add support for authGSSServerHasDelegated

I don't think the other related functions (authGSSServerStoreDelegate and authGSSServerCacheName) make sense in SSPI or are possible to replicate.

Hi
I can not install this package in windows(sever 2012 r2) :
Python 3.7.0 .

PS C:\Windows\system32> pip install winkerberos -U
Collecting winkerberos
  Using cached https://files.pythonhosted.org/packages/85/b2/c5a66595bb477f1939596d80fa308e357c28abe22d3d6ce6cc2208c324e
e/winkerberos-0.7.0.zip
Installing collected packages: winkerberos
  Running setup.py install for winkerberos ... error
	Complete output from command c:\python\python.exe -u -c "import setuptools, tokenize;__file__='C:\\Users\\dvp7\\AppD
ata\\Local\\Temp\\pip-install-j8xs4qt6\\winkerberos\\setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read()
.replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record C:\Users\dvp7\AppData\Local\Tem
p\pip-record-jjpe1tk4\install-record.txt --single-version-externally-managed --compile:
	running install
	running build
	running build_ext
	building 'winkerberos' extension
	error: [WinError 3] The system cannot find the path specified: 'C:\\Program Files (x86)\\Microsoft Visual Studio 14.
0\\VC\\PlatformSDK\\lib'

Python 2.x distutils do not set the linker flags for ASLR and DEP by default (on 32-Bit...), those are only set in Python 3.3+. And those flags are not on by default at least on VS 2008.

So to get ASLR add /DYNAMICBASE (or the 64-bit version with /HIGHENTROPYVA where supported). For DEP add /NXCOMPAT (but thats the default nearly anywhere).

Downside is, that mingw has problems with those two... :-(

(see https://blogs.technet.microsoft.com/srd/2010/12/08/on-the-effectiveness-of-dep-and-aslr/)

tests\conftest.py:5: in
from tci_buildgraph import BuildGraph, BuildGraphInfo
jenkins-component-package-windows-ci-102\lib\site-packages\tci_buildgraph_init_.py:10: in
from .builder import BuildGraphBuilder
jenkins-component-package-windows-ci-102\lib\site-packages\tci_buildgraph\builder.py:9: in
from tci_idl import HbaseClient, make_columns, make_row_coord, make_rows_coord
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl_init_.py:5: in
from .ci_mail.v001.client import CiMailClient
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\ci_mail\v001\client.py:6: in
from tci_idl.base_client import ThriftClient
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\base_client.py:15: in
from .discovery import Discovery, nearly_select
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\discovery.py:11: in
from tci_util import dump_object, log_duration
jenkins-component-package-windows-ci-102\lib\site-packages\tci_util_init_.py:5: in
from .bulletin import BulletinBoard
jenkins-component-package-windows-ci-102\lib\site-packages\tci_util\bulletin.py:9: in
from tci_zookeeper import ZKLib, ZookeeperError
jenkins-component-package-windows-ci-102\lib\site-packages\tci_zookeeper_init_.py:6: in
from .zklocklib import ZKLib, zk_lock
jenkins-component-package-windows-ci-102\lib\site-packages\tci_zookeeper\zklocklib.py:10: in
from kazoo.client import KazooClient
jenkins-component-package-windows-ci-102\lib\site-packages\kazoo\client.py:27: in
from kazoo.protocol.connection import ConnectionHandler
jenkins-component-package-windows-ci-102\lib\site-packages\kazoo\protocol\connection.py:46: in
from puresasl.client import SASLClient
jenkins-component-package-windows-ci-102\lib\site-packages\puresasl\client.py:4: in
import puresasl.mechanisms as mech_mod
jenkins-component-package-windows-ci-102\lib\site-packages\puresasl\mechanisms.py:21: in
kerberos.authGSSClientUserName = kerberos.authGSSClientUsername
E AttributeError: module 'winkerberos' has no attribute 'authGSSClientUsername'

For now, winkerberos seems to need a TGT to authenticate to a service but a service ticket should be enough. For example when I'm trying to connect to a LDAP AD service:

 _, ctx = winkerberos.authGSSClientInit("ldap/[email protected]", principal="[email protected]")
winkerberos.GSSError: SSPI: AcquireCredentialsHandle: No credentials are available in the security package

However, I've the following service ticket available:

#0>     Client: Administrator @ BLOODY.LOCAL
        Server: ldap/WIN-IJ5B521UO5L @ BLOODY.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x804a0000 -> reserved initial 0xa0000
        Start Time: 3/12/2022 12:38:17 (local)
        End Time:   3/12/2022 22:37:12 (local)
        Renew Time: 0
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

Would it be possible to add support for this use case?

I see the code has been updated to support 3.12, but there hasn't been a release on PyPI since those changes. Can a new release be made?

Now that we have a server side API (added in #20) we need to add tests for it. Preferably, the client and server sides can start testing one another, removing the current MongoDB specific test suite.

authGSSClientStep raises a GSSError exception with this message: "SSPI: InitializeSecurityContext: No credentials are available in the security package" despite my having a krbtgt in the credential cache as shown in this lightly anonymized terminal snippet.

(venv36) C:\Users\neirbowj>python
Python 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 02:47:15) [MSC v.1900 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import winkerberos as k
>>> res, ctx = k.authGSSClientInit('service/host.example.com')
>>> k.authGSSClientStep(ctx, '')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
winkerberos.GSSError: SSPI: InitializeSecurityContext: No credentials are available in the security package

>>> exit()

(venv36) C:\Users\neirbowj>klist
Ticket cache: API:Initial default ccache
Default principal: [email protected]

Valid starting     Expires            Service principal
07/31/18 12:01:36  07/31/18 22:01:35  krbtgt/[email protected]
        renew until 08/07/18 09:01:35

My environment is Windows 10 Pro 10.0.16299, with Python 3.6.6 (32-bit; also reproducible on 2.7.15), MIT Kerberos for Windows 4.1 (32-bit), and winkerberos 0.7.0.

Both Apple's original kerberos project and the popular PyKerberos fork both implement this function. It would be trivial to implement in WinKerberos. DecryptMessage provides this information in the pfQOP out parameter. The implementation can be, essentially:

return pfQOP != SECQOP_WRAP_NO_ENCRYPT

References:
https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/pysrc/kerberos.py#L222
https://github.com/02strich/pykerberos/blob/v1.1.9/pysrc/kerberos.py#L148
https://msdn.microsoft.com/en-us/library/windows/desktop/aa375215(v=vs.85).aspx

Once AcceptSecurityContext returns SEC_E_OK it should be possible to call QueryContextAttributesW for SECPKG_ATTR_NATIVE_NAMES, then store the sServerName attribute in the server context to return later.

If the username includes non-ascii characters.

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf6 in position 22: invalid start byte

The problem is our use of SecPkgContext_Names and QueryContextAttributes rather that SecPkgContext_NamesW and QueryContextAttributesW.

Hello! Are there plans to ship binary wheels for Python 3.8 soon? Many of us would really appreciate it.

Thanks 😄

cc @behackett

running python setup.py doc results in an AttributeError: module "'sphinx'" has no attribute 'main'. I couldn't find anything about a change in the Sphinx changelog, but that function does not seem to be there any more.

The authGSSClientInit implementation in WinKerberos attempts to be fully compatible with pykerberos, including support for the "principal" parameter, while also supporting some SSPI specific options (user, domain, and password). The current support for the principal option appears to be incorrect.

First, some background information. On a *nix machine you login locally, then call kinit to get a TGT. Starting with krb5 1.10 you can take advantage of credential cache collections with the addition of kswitch and improvements to kinit to get TGTs for multiple principals. gss_acquire_cred can find the correct credentials in the correct cache for the principal you specify.

On Windows the situation is very different. First, there is no kinit or kswitch, and klist only lists existing tickets or tgts. The documentation for the pszPrincipal parameter of AcquireCredentialsHandle appears to be wrong. How it is supposed to work is a mystery. Comments here claim that it is ignored in the Kerberos SSP. This post from back in 2001 claims it must be NULL.

The solution to this problem appears to be using the principal argument, when provided, as explicit user and domain when calling AcquireCredentialsHandle. For backward compatibility we should continue to support the user and domain parameters, preferring them if provided.

See requests/requests-kerberos#75 for the discussion leading to this ticket.

Currently the "doc" command for setup runs sphinx-build on a subprocess. This is problematic for a few reasons:

• On Windows it is highly unlikely that sphinx-build will be on the user's path, unless the build is run from a virtualenv.
• Even if sphinx-build is on the user's path, it may use a different interpreter than the interpreter used to run "setup.py doc". For example, running "C:\Python34\python.exe setup.py doc", but sphinx-build is "C:\Python27\Scripts\sphinx-build.exe"

We should import sphinx and call sphinx.main (sphinx.build_main when available) directly to avoid both of these problems. Also, document how to build the docs in the README.

We started to notice new users could not install this module using pip install winkerberos.

The error is to install MS Build Tools https://visualstudio.microsoft.com/visual-cpp-build-tools/.

What I found was that the install works perfect with 3.8.6, but fails with 3.9.0.

I suspect the wheels on PyPI need to be updated to support python 3.9.

Now that we've dropped Python 2.6, let's switch 2.7 over to PyCapsule. That way we can name the objects which should make development and debugging easier for users.

Comparing these two functions:
https://github.com/apple/ccs-pykerberos/blob/master/src/kerberos.c#L385
https://github.com/mongodb-labs/winkerberos/blob/master/src/winkerberos.c#L739

it looks like this implementation's authGSSClientUsername should be spelled authGSSClientUserName

This may not really be an issue but found no other way to communicate. I'm trying to replace pywin32's SSPI implementation within Px with winkerberos due to this issue.

I have the following code:-

class NtlmMessageGenerator2:
    def __init__(self, user=None):
        if not user:
            user = win32api.GetUserName()
        status, self.ctx = winkerberos.authGSSClientInit("NTLM", gssflags=0)

    def create_auth_request(self):
        status = winkerberos.authGSSClientStep(self.ctx, "")
        if status == winkerberos.AUTH_GSS_COMPLETE:
            return winkerberos.authGSSClientResponse(self.ctx)

        return None

    def create_challenge_response(self, challenge):
        status = winkerberos.authGSSClientStep(self.ctx, challenge)
        if status == winkerberos.AUTH_GSS_COMPLETE:
            return winkerberos.authGSSClientResponse(self.ctx)

        return None

However, it fails as follows:-

Exception happened during processing of request from ('127.0.0.1', 54674)
Traceback (most recent call last):
  File "C:\Miniconda\lib\socketserver.py", line 639, in process_request_thread
    self.finish_request(request, client_address)
  File "C:\Miniconda\lib\socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "C:\Miniconda\lib\socketserver.py", line 696, in __init__
    self.handle()
  File "C:\Miniconda\lib\http\server.py", line 418, in handle
    self.handle_one_request()
  File "px.py", line 133, in handle_one_request
    httpserver.SimpleHTTPRequestHandler.handle_one_request(self)
  File "C:\Miniconda\lib\http\server.py", line 406, in handle_one_request
    method()
  File "px.py", line 381, in do_CONNECT
    resp, headers, body = self.do_transaction()
  File "px.py", line 301, in do_transaction
    "Proxy-Authorization": "NTLM %s" % ntlm.create_auth_request()
  File "px.py", line 117, in create_auth_request
    status = winkerberos.authGSSClientStep(self.ctx, "")
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable

Is NTLM not a valid service endpoint? It works fine with pywin32 (except for that issue with Python 3.6+). I'm running this on Windows 10.

Thanks in advance.

when I upgrade the modue winkerberos to 0.8.0, I am getting a module 'winkerberos' has no attribute 'authGSSClientUsername' error. Here's the trackback of error:
tests\conftest.py:5: in
from tci_buildgraph import BuildGraph, BuildGraphInfo
jenkins-component-package-windows-ci-102\lib\site-packages\tci_buildgraph_init_.py:10: in
from .builder import BuildGraphBuilder
jenkins-component-package-windows-ci-102\lib\site-packages\tci_buildgraph\builder.py:9: in
from tci_idl import HbaseClient, make_columns, make_row_coord, make_rows_coord
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl_init_.py:5: in
from .ci_mail.v001.client import CiMailClient
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\ci_mail\v001\client.py:6: in
from tci_idl.base_client import ThriftClient
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\base_client.py:15: in
from .discovery import Discovery, nearly_select
jenkins-component-package-windows-ci-102\lib\site-packages\tci_idl\discovery.py:11: in
from tci_util import dump_object, log_duration
jenkins-component-package-windows-ci-102\lib\site-packages\tci_util_init_.py:5: in
from .bulletin import BulletinBoard
jenkins-component-package-windows-ci-102\lib\site-packages\tci_util\bulletin.py:9: in
from tci_zookeeper import ZKLib, ZookeeperError
jenkins-component-package-windows-ci-102\lib\site-packages\tci_zookeeper_init_.py:6: in
from .zklocklib import ZKLib, zk_lock
jenkins-component-package-windows-ci-102\lib\site-packages\tci_zookeeper\zklocklib.py:10: in
from kazoo.client import KazooClient
jenkins-component-package-windows-ci-102\lib\site-packages\kazoo\client.py:27: in
from kazoo.protocol.connection import ConnectionHandler
jenkins-component-package-windows-ci-102\lib\site-packages\kazoo\protocol\connection.py:46: in
from puresasl.client import SASLClient
jenkins-component-package-windows-ci-102\lib\site-packages\puresasl\client.py:4: in
import puresasl.mechanisms as mech_mod
jenkins-component-package-windows-ci-102\lib\site-packages\puresasl\mechanisms.py:21: in
kerberos.authGSSClientUserName = kerberos.authGSSClientUsername
E AttributeError: module 'winkerberos' has no attribute 'authGSSClientUsername'

Please consider applying the patch below to support building winkerberos with mingw:
mingw build patch

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379887%28v=vs.85%29.aspx

You probably load crypt32.dll anyway via the SSPI stuff.

Might be a good idea to zero out the password after using it in AcquireCredentialsHandleA(). Doesn't help a lot with Pythons String objects, but its better than nothing.

To better support unicode service principal names. This is (arguably) not as important as the earlier change to AcquireCredentialsHandleW, but the change should be simple.

Python offers a memoryview or buffer interface to raw-bytes, e.g. to bytearrays, mmap or custom objects implementing the buffer interface. PyString/PyBytes objects are inherently dangerous for passing password data, as those cannot be zeroed reliably after use. But buffer objects can be zeroed, as they are mutable string like structures.

So using z# instead of the z modifier for PyArg_ParseTupleAndKeywords would naturally allow using those more secure ways to pass password data to winkerberos.

Microsoft APIs like CryptStringToBinary and structs like SecBuffer and SEC_WINNT_AUTH_IDENTITY expect string length as ULONG. Python string length is defined as Py_ssize_t (ssize_t on platforms that define it). We should raise ValueError if the length of input strings exceeds ULONG_MAX. Currently these strings are truncated on 64 bit systems. Raising an explicit exception will make debugging much easier than authentication failing.

Hello

I was trying to test the SSPI server side authentication, but I am getting error that there is attribute for authGSSServerInit, i read the Documentation but was not able to figure it out if we have SSPI server side authentication support or if it is still in progress, any help on this would be much appreciated.

None is currently not supported when calling:

winkerberos.authGSSClientStep(ctx, base64.b64encode(in_token).decode('utf-8'), 
                                        channel_bindings=None) 
TypeError: Expected a channel bindings object

I saw a similar issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1354334

Apple's original kerberos project enables this feature. WinKerberos currently defaults to signing but no confidentiality. That is, it passes SECQOP_WRAP_NO_ENCRYPT as the second parameter to EncryptMessage. We can instead pass 0 when protect is 1, following the example from MSDN's "SSPI/Kerberos Interoperability with GSSAPI" documentation.

References:
https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/pysrc/kerberos.py#L261
https://msdn.microsoft.com/en-us/library/windows/desktop/aa375385(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx

Note that the popular PyKerberos fork of Apple's project does not support this feature.
https://github.com/02strich/pykerberos/blob/v1.1.9/pysrc/kerberos.py#L173

The code is windows only, so it should probably use the 'secure' versions of CRT functions:

https://blogs.microsoft.com/cybertrust/2009/05/14/please-join-me-in-welcoming-memcpy-to-the-sdl-rogues-gallery/

Python 2.6 went EOL back in 2013. All of the Python packaging tools have dropped support. Since this package is Windows specific and Windows doesn't ship Python we don't have to worry about users stuck on "system" Python versions. It's time to drop 2.6.

This was actually found while using requests-kerberos, but it depends on winkerberos in Windows environments.

Full warning message:

requests_kerberos\kerberos_.py:385: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
    self.cbt_struct = kerberos.channelBindings(application_data=cbt_application_data)

I am not 100% familiar with the python c-api, so can only make some recommendations at a high level.

First, the documentation says:

**Note** For all # variants of formats (s#, y#, etc.), the type of the length argument (int or Py_ssize_t) is controlled by defining the macro PY_SSIZE_T_CLEAN before including Python.h. If the macro was defined, length is a Py_ssize_t rather than an int. This behavior will change in a future Python version to only support Py_ssize_t and drop int support. It is best to always define PY_SSIZE_T_CLEAN.

Per documentation, this at least means you may need to add this above here: https://github.com/mongodb-labs/winkerberos/blob/master/src/kerberos_sspi.h#L19

Looking at a similar issue in tox, I could guess where other changes could be made: https://github.com/python-pillow/Pillow/pull/3749/files

Running with

python 3.8.1
Windows 10 RS5
Similar issue found in other libraries
python-pillow/Pillow#3750
https://github.com/zopefoundation/ZODB/issues/261

Related to requests/requests-kerberos#92 and apple/ccs-pykerberos#55. We should attempt to add channel bindings support to WinKerberos.

Microsoft doesn't document support for channel bindings in InitializeSecurityContext, but they do document it for AcceptSecurityContext. I'm guessing / hoping the missing docs for InitializeSecurityContext are an oversite. It looks like we can add a SecBuffer with BufferType SECBUFFER_CHANNEL_BINDINGS to the SecBufferDesc instance here. There is an example of someone doing this with PyWin32 here.

The SEC_CHANNEL_BINDINGS struct is documented here. It's not clear to me if SSPI equivalents of constants like GSS_C_AF_UNSPEC are actually defined somewhere, or if we can just define them ourselves starting with the value 0. For reference - http://www.shrubbery.net/solaris9ab/SUNWdev/GSSAPIPG/p27.html#REFERENCE-9

It's also unclear to me if the current test suite (which uses MongoDB for all its tests) can actually test this feature.

As of Python 3.10 distutils is deprecated, to be removed in Python 3.12. We currently use build_ext from distutils but can trivially migrate to the same command in setuptools.

It would be much prefered if you used the _W versions of the API, especially for the auth identify.

Both usernames and credentials/passwords might contain UTF-16 chars outside of the current codepage.

In addition, your code reacts in funny ways if one changes the current user local (e.g. when using remote desktop, try switching between turkish, german and EN_US and use some umlauts or accents in the usernames or passwords, those might get silently converted).

Its close to trivial to use the UTF-16 APIs from python thanks to the usual unicode support.

See requests/requests-kerberos#75

Same reasons as dropping support for Python 2.6, but the Python version has a different EOL year.