Allow NTLM tests on newer Linux distributions

[rzikm]

fixes #111639.

[rzikm]

Looks like the code crashes with the new gss-ntlmssp

=================================================================
	Managed Stacktrace:
=================================================================
	  at <unknown> <0xffffffff>
	  at NetSecurityNative:<InitSecContext>g____PInvoke|16_0 <0x00017>
	  at NetSecurityNative:InitSecContext <0x0020b>
	  at NetSecurityNative:InitSecContext <0x000ab>
	  at UnixNegotiateAuthenticationPal:InitializeSecurityContext <0x00367>
	  at UnixNegotiateAuthenticationPal:GetOutgoingBlob <0x000db>
	  at System.Net.Security.NegotiateAuthentication:GetOutgoingBlob <0x0005f>
	  at System.Net.Security.Tests.NegotiateAuthenticationTests:DoNtlmExchange <0x000c7>
	  at System.Net.Security.Tests.NegotiateAuthenticationTests:RemoteIdentity_ThrowsOnDisposed <0x00197>

[filipnavara]

Looks like the code crashes with the new gss-ntlmssp

The native stack trace would be more useful...

...but weirdly, it crashed only on Mono pipeline, didn't it? Is that one using a different Ubuntu version? (I'll answer myself - it seems to be 24.10, so 🤷🏿 )

[rzikm]

I updated my WSL to ubuntu 24 so I can debug locally, so far I managed to get this

ntlm_decode_u16l_str_hdr.constprop.0 (ctx=<optimized out>, str_hdr=<optimized out>, buffer=<optimized out>, payload_offs=<optimized out>, str=0x7f3b430a2350) at src/ntlm.c:328
#7  0x00007f3b438c9fe5 in ntlm_decode_chal_msg (target_info=0x7f3b430a22b0, challenge=<synthetic pointer>, target_name=<synthetic pointer>, _flags=<synthetic pointer>, buffer=0x7efa1c020900, ctx=0x7efa1c021a20) at src/ntlm.c:1125
#8  gssntlm_init_sec_context (mech_type=<optimized out>, time_req=<optimized out>, time_rec=<optimized out>, ret_flags=0x7f3b430a2c98, output_token=<optimized out>, actual_mech_type=<optimized out>, input_token=<optimized out>, input_chan_bindings=<optimized out>, 
    req_flags=32506, target_name=<optimized out>, context_handle=0x7f3b430a23e0, claimant_cred_handle=0x7efa1c0110e0, minor_status=0x7efa1c0208d0) at src/gss_sec_ctx.c:290
#9  gss_init_sec_context (minor_status=minor_status@entry=0x7f3b430a2cc0, claimant_cred_handle=claimant_cred_handle@entry=0x7efa1c0110e0, context_handle=context_handle@entry=0x7efa1c012c30, target_name=<optimized out>, mech_type=<optimized out>, 
    req_flags=req_flags@entry=32, time_req=<optimized out>, input_chan_bindings=<optimized out>, input_token=<optimized out>, actual_mech_type=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at src/gss_spi.c:22
#10 0x00007f3b43a1734e in gss_init_sec_context (minor_status=0x7f3b430a2cc0, claimant_cred_handle=<optimized out>, context_handle=0x7f3b430a29c0, target_name=0x7efa1c00eff0, req_mech_type=<optimized out>, req_flags=32, time_req=0, input_chan_bindings=0x0, 
    input_token=0x7f3b430a2658, actual_mech_type=0x7f3b430a2640, output_token=0x7f3b430a2648, ret_flags=0x7f3b430a2c98, time_rec=0x0) at mechglue/../../../../src/lib/gssapi/mechglue/g_init_sec_context.c:211
#11 0x00007f3b43a5fe41 in NetSecurityNative_InitSecContextEx (minorStatus=0x7f3b430a2cc0, claimantCredHandle=0x7efa1c00dad0, contextHandle=0x7f3b430a29c0, packageType=1, cbt=0x0, cbtSize=0, targetName=0x7efa1c00eff0, reqFlags=32, inputBytes=0x7efad0d171c0 "NTLMSSP", 
    inputLength=92, outBuffer=0x7f3b430a2cd0, retFlags=0x7f3b430a2c98, isNtlmUsed=0x7f3b430a29b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:374
#12 0x00007f3b43a5fa2f in NetSecurityNative_InitSecContext (minorStatus=0x7f3b430a2cc0, claimantCredHandle=0x7efa1c00dad0, contextHandle=0x7f3b430a29c0, packageType=1, targetName=0x7efa1c00eff0, reqFlags=32, inputBytes=0x7efad0d171c0 "NTLMSSP", inputLength=92, 
    outBuffer=0x7f3b430a2cd0, retFlags=0x7f3b430a2c98, isNtlmUsed=0x7f3b430a29b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:288

[rzikm]

Other occurence I get is

#5  <signal handler called>
#6  0x00007f5a0f3de5c5 in ?? () from /usr/lib/x86_64-linux-gnu/gssntlmssp/gssntlmssp.so
#7  0x00007f5a0f3d3fe5 in gss_init_sec_context () from /usr/lib/x86_64-linux-gnu/gssntlmssp/gssntlmssp.so
#8  0x00007f5a0f52134e in gss_init_sec_context () from /lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#9  0x00007f5a0f569e41 in NetSecurityNative_InitSecContextEx (minorStatus=0x7f5a0e3abcc0, claimantCredHandle=0x7f18c4004350, contextHandle=0x7f5a0e3ab9c0, packageType=1, cbt=0x0, cbtSize=0, targetName=0x7f18b4001cc0, reqFlags=32, inputBytes=0x7f199ceb2840 "NTLMSSP", 
    inputLength=92, outBuffer=0x7f5a0e3abcd0, retFlags=0x7f5a0e3abc98, isNtlmUsed=0x7f5a0e3ab9b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:374
#10 0x00007f5a0f569a2f in NetSecurityNative_InitSecContext (minorStatus=0x7f5a0e3abcc0, claimantCredHandle=0x7f18c4004350, contextHandle=0x7f5a0e3ab9c0, packageType=1, targetName=0x7f18b4001cc0, reqFlags=32, inputBytes=0x7f199ceb2840 "NTLMSSP", inputLength=92, 
    outBuffer=0x7f5a0e3abcd0, retFlags=0x7f5a0e3abc98, isNtlmUsed=0x7f5a0e3ab9b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:288

#5  <signal handler called>
#6  ntlm_decode_u16l_str_hdr.constprop.0 (ctx=<optimized out>, str_hdr=<optimized out>, buffer=<optimized out>, payload_offs=<optimized out>, str=0x7ec3faff8350) at src/ntlm.c:328
#7  0x00007ec419e6ffe5 in ntlm_decode_chal_msg (target_info=0x7ec3faff82b0, challenge=<synthetic pointer>, target_name=<synthetic pointer>, _flags=<synthetic pointer>, buffer=0x7ec3ec018660, ctx=0x7ec3ec006250) at src/ntlm.c:1125
#8  gssntlm_init_sec_context (mech_type=<optimized out>, time_req=<optimized out>, time_rec=<optimized out>, ret_flags=0x7ec3faff8c98, output_token=<optimized out>, actual_mech_type=<optimized out>, input_token=<optimized out>, input_chan_bindings=<optimized out>, 
    req_flags=32451, target_name=<optimized out>, context_handle=0x7ec3faff83e0, claimant_cred_handle=0x7ec3ec00aae0, minor_status=0x7ec3ec018630) at src/gss_sec_ctx.c:290
#9  gss_init_sec_context (minor_status=minor_status@entry=0x7ec3faff8cc0, claimant_cred_handle=claimant_cred_handle@entry=0x7ec3ec00aae0, context_handle=context_handle@entry=0x7ec3ec007830, target_name=<optimized out>, mech_type=<optimized out>, 
    req_flags=req_flags@entry=32, time_req=<optimized out>, input_chan_bindings=<optimized out>, input_token=<optimized out>, actual_mech_type=<optimized out>, output_token=<optimized out>, ret_flags=<optimized out>, time_rec=<optimized out>) at src/gss_spi.c:22
#10 0x00007ec419fbd34e in gss_init_sec_context (minor_status=0x7ec3faff8cc0, claimant_cred_handle=<optimized out>, context_handle=0x7ec3faff89c0, target_name=0x7ec3e80040b0, req_mech_type=<optimized out>, req_flags=32, time_req=0, input_chan_bindings=0x0, 
    input_token=0x7ec3faff8658, actual_mech_type=0x7ec3faff8640, output_token=0x7ec3faff8648, ret_flags=0x7ec3faff8c98, time_rec=0x0) at mechglue/../../../../src/lib/gssapi/mechglue/g_init_sec_context.c:211
#11 0x00007ec41a005e41 in NetSecurityNative_InitSecContextEx (minorStatus=0x7ec3faff8cc0, claimantCredHandle=0x7ec3cc008710, contextHandle=0x7ec3faff89c0, packageType=1, cbt=0x0, cbtSize=0, targetName=0x7ec3e80040b0, reqFlags=32, inputBytes=0x7ec4b4ebc478 "NTLMSSP", 
    inputLength=92, outBuffer=0x7ec3faff8cd0, retFlags=0x7ec3faff8c98, isNtlmUsed=0x7ec3faff89b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:374
#12 0x00007ec41a005a2f in NetSecurityNative_InitSecContext (minorStatus=0x7ec3faff8cc0, claimantCredHandle=0x7ec3cc008710, contextHandle=0x7ec3faff89c0, packageType=1, targetName=0x7ec3e80040b0, reqFlags=32, inputBytes=0x7ec4b4ebc478 "NTLMSSP", inputLength=92, 
    outBuffer=0x7ec3faff8cd0, retFlags=0x7ec3faff8c98, isNtlmUsed=0x7ec3faff89b0) at /source/dotnet/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c:288

I will dig more tomorrow, it seems pretty deterministic

[filipnavara]

That does ring a bell: gssapi/gss-ntlmssp#90

[wfurt]

As far as I can tell this was fixed on 1.3 v1.3.0 but Ubuntu pulls in 1.2 ;)

[rzikm]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rzikm]

okay, another attempt, this time on Fedora 41 which seems to be the only one that has 1.3.0 available (from the distros in our test matrix). I am getting

  Discovering: System.Net.Security.Unit.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Security.Unit.Tests (found 84 of 88 test cases)
  Starting:    System.Net.Security.Unit.Tests (parallel test collections = on [20 threads], stop on fail = off)
    System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(requestMIC: True, requestConfidentiality: True) [FAIL]
      InvalidToken
      Stack Trace:
           at System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(Boolean requestMIC, Boolean requestConfidentiality)
        /_/src/coreclr/System.Private.CoreLib/src/System/Reflection/MethodBaseInvoker.CoreCLR.cs(36,0): at System.Reflection.MethodBaseInvoker.InterpretedInvoke_Method(Object obj, IntPtr* args)
        /_/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodBaseInvoker.cs(174,0): at System.Reflection.MethodBaseInvoker.InvokeDirectByRefWithFewArgs(Object obj, Span`1 copyOfArgs, BindingFlags invokeAttr)
    System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(requestMIC: True, requestConfidentiality: False) [FAIL]
      InvalidToken
      Stack Trace:
           at System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(Boolean requestMIC, Boolean requestConfidentiality)
           at InvokeStub_NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(Object, Span`1)
        /_/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodBaseInvoker.cs(136,0): at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(requestMIC: False, requestConfidentiality: False) [FAIL]
      InvalidToken
      Stack Trace:
           at System.Net.Security.Tests.NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(Boolean requestMIC, Boolean requestConfidentiality)
           at InvokeStub_NegotiateAuthenticationTests.NegotiateCorrectExchangeTest(Object, Span`1)
        /_/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodBaseInvoker.cs(136,0): at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    System.Net.Security.Tests.NegotiateAuthenticationTests.NtlmCorrectExchangeTest(credential: NetworkCredential { Domain = "", Password = "rightpassword", SecurePassword = SecureString { Length = 13 }, UserName = "rightusername@rightdomain.com" }) [FAIL]
      Assert.Equal() Failure: Strings differ
                              ↓ (pos 13)
      Expected: "rightusername@rightdomain.com"
      Actual:   "rightusername"
      Stack Trace:
           at System.Net.Security.FakeNtlmServer.ValidateAuthentication(Byte[] incomingBlob)
           at System.Net.Security.FakeNtlmServer.GetOutgoingBlob(Byte[] incomingBlob)
           at System.Net.Security.Tests.NegotiateAuthenticationTests.DoNtlmExchange(FakeNtlmServer fakeNtlmServer, NegotiateAuthentication ntAuth)
           at System.Net.Security.Tests.NegotiateAuthenticationTests.NtlmCorrectExchangeTest(NetworkCredential credential)
           at InvokeStub_NegotiateAuthenticationTests.NtlmCorrectExchangeTest(Object, Span`1)
        /_/src/libraries/System.Private.CoreLib/src/System/Reflection/MethodBaseInvoker.cs(95,0): at System.Reflection.MethodBaseInvoker.InvokeWithOneArg(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    System.Net.Security.Tests.NegotiateAuthenticationTests.Package_Unsupported_NTLM [SKIP]
      Condition(s) not met: "IsNtlmUnavailable"
  Finished:    System.Net.Security.Unit.Tests
=== TEST EXECUTION SUMMARY ===
   System.Net.Security.Unit.Tests  Total: 107, Errors: 0, Failed: 4, Skipped: 1, Time: 3.707s
/source
----- end Fri Mar 14 13:30:02 UTC 2025 ----- exit code 1 ----------------------------------------------------------

I am afraid this goes beyond my expertise, unless @filipnavara has any pointers for me to investigate this.

[filipnavara]

I'll put it on my backlog but I don't expect to investigate it until next week.

[rzikm]

Closing for now, will restart the investigation of the test failures in the future.