GNU SASL GSSAPI Example

Question

I can't seem to find an example anywhere of how to use GNU's SASL with the gssapi mechanism. I've tried starting it up like this (just guessing how the thing works):

        gsasl_init(&ctx);
        gsasl_client_start(ctx, "GSSAPI", &session);

But I get a GSASL_UNKNOWN_MECHANISM error from gsasl_client_start. Does anyone know how to use gsasl? Could someone point me to a tutorial?

3rd link in google http://gnu.ist.utl.pt/software/gsasl/doxygen/ — Iłya Bursov, Mar 13 '20 at 21:51
Your "3rd link in google" @IłyaBursov doesn't have example code how to use GSSAPI. — David Mulder, Mar 13 '20 at 21:53
2nd link in google https://www.gnu.org/software/gsasl/coverage/tests/gssapi.c.gcov.frameset.html — Iłya Bursov, Mar 13 '20 at 21:58
Tough crowd today! What OS / environment are you doing this on? — Steve Friedl, Mar 13 '20 at 22:03
That's not even on the first page of results, let alone the second result! — David Mulder, Mar 13 '20 at 22:03
@SteveFriedl on Linux. I just checked the result from gsasl_client_support_p() and looks like it thinks there's no support for it. I believe I have heimdal installed... — David Mulder, Mar 13 '20 at 22:04
@DavidMulder - that has to be it. I'm looking at the source, and there's a lot of #ifdef around all the various mechanisms, including `USE_GSSAPI`, though I don't know if *only* lack of compiling can do it; it could be that support is built in but the OS doesn't have support for it (Kerberos)? Did you build the library yourself? EDIT: it's not compiled in, that's the only thing that can cause this AFAICT. — Steve Friedl, Mar 13 '20 at 22:06
@SteveFriedl actually it's mit krb5 1.17 I've got installed (including devel package). I'm using distribution packages. — David Mulder, Mar 13 '20 at 22:09
Thanks @SteveFriedl I'll take a look at the package (also using the gsasl distro package). It must not be compiled in. — David Mulder, Mar 13 '20 at 22:13

score 2 · Accepted Answer · answered Mar 13 '20 at 22:14

This is clearly due to the library not being built with GSSAPI support; looking at the source (`libgasl-1.8.1'), the only place that can return this is:

// src/xstart.c
static int
setup (Gsasl * ctx,
       const char *mech,
       Gsasl_session * sctx,
       size_t n_mechs, Gsasl_mechanism * mechs, int clientp)
{
  Gsasl_mechanism *mechptr = NULL;
  int res;

  mechptr = find_mechanism (mech, n_mechs, mechs);
  if (mechptr == NULL)
    return GSASL_UNKNOWN_MECHANISM;

So this means it's not a case of the library supporting it but it can't find resources on the computer that back it up (kerberos, for instance).

When I attempted to compile this on my own system, configure did not enable GSSAPI because it couldn't find something important:

...
checking if DIGEST-MD5 should be used... yes
checking if SCRAM-SHA-1 should be used... yes
checking if SAML20 should be used... yes
checking if OPENID20 should be used... yes
configure: checking for GSS implementation (yes)
configure: auto-detecting GSS/MIT/Heimdal
configure: use --with-gssapi-impl=IMPL to hard code
configure: where IMPL is `gss', `mit', or `heimdal'
checking for libgss... no
configure: WARNING: GNU GSS not found (see http://www.gnu.org/software/gss/)...
configure: WARNING: Auto-detecting MIT/Heimdal is unreliable, disabling GSSAPI
checking if KERBEROS_V5 should be used... no
...

so either some underlying package is missing, you need to fetch a related but differently named package (that includes this support), or you need to build it yourself with options that enable what you want.

And you're absolutely right. I see the same error in the package build history: https://build.opensuse.org/package/show/openSUSE%3AFactory/libgsasl I'll have to raise an issue with the maintainer. Looks like they need to specify --with-gssapi-impl when configuring to use mit krb5 (since I see the package explicitly requires the krb5-devel package). — David Mulder, Mar 13 '20 at 22:20
I rebuilt libgsasl with --with-gssapi-impl=mit and it works! I also submitted a fix for opensuse. — David Mulder, Mar 13 '20 at 22:45

GNU SASL GSSAPI Example

1 Answers1