https://bugs.winehq.org/show_bug.cgi?id=55304
Bug ID: 55304 Summary: Kerberos authentication stopped to work after PE wldap32 conversion Product: Wine Version: 8.13 Hardware: x86-64 OS: Linux Status: NEW Keywords: patch, regression Severity: normal Priority: P2 Component: wldap32 Assignee: wine-bugs@winehq.org Reporter: dmitry@baikal.ru CC: hans@meelstraat.net Regression SHA1: 02e52db7aa627b980dec3dfd4053e20a380ee555 Distribution: ---
Created attachment 74900 --> https://bugs.winehq.org/attachment.cgi?id=74900 patch
SASL2 plugin in libs/ldap/libldap/sasl_w.c doesn't follow the rfc4752 specification in several ways, and it looks like it was never tested with Kerberos since it queries the key info using QueryContextAttributesA(SECPKG_ATTR_KEY_INFO) however this attribute is not supported neither by Wine Kerberos implementation nor by Kerberos in Windows 10. Actually SSF (SASL Security Strength Factor) value returned by the plugin is never used by libldap, so it's not necessary to set SSF to anything but 1. Besides, dlls/kerberos uses constants for trailer, signature and max buffer size that no longer work with modern implementations. Also at least the Kerberos servers I was testing with use trailer length either 64 or 60, so I had to add a patch to query Kerberos security trailer length from the context, otherwise it's not possible to correctly encode/decode LDAP messages and server responses.
I'm attaching a patch that makes Kerberos authentication work again.
Here are some useful links that were used as a reference: https://www.rfc-editor.org/rfc/rfc4752#page-3 https://github.com/openldap/openldap/blob/master/libraries/libldap/cyrus.c https://github.com/cyrusimap/cyrus-sasl/blob/master/lib/client.c https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c