Samba3's fake GSSAPI and FreeBSD

Andrew Bartlett abartlet at
Sun Sep 12 00:06:31 MDT 2010

On Sat, 2010-09-11 at 19:05 -0700, Jeremy Allison wrote:
> On Sat, Sep 11, 2010 at 07:01:16PM +1000, Andrew Bartlett wrote:
> > 
> > While the whole patch scares me (if we need to use real GSSAPI that
> > badly, we should use GSSAPI, and stop faking it up)
> History Andrew, history. I'm sure you remember it. At the
> time no gssapi library did what we needed, so we had no choice.

Indeed, but poor relations we had with the Kerberos community 10 years
ago no longer applies, and the APIs we were missing (the ability to get
the session key for smb signing) have been available in released
versions for quite some time now. 

> > Perhaps we should perhaps have two simple defines:  HAVE_KRB5 and
> > HAVE_MODERN_KRB5, with a switch between the two rather than testing for
> > each function, and getting too many combinations.  We just can't test
> > the number of variations at the moment.  
> This is a good idea, but only if you are willing to spend the
> time tracking down the calls and making the change. Else it's
> an "unfunded mandate" (or wishful thinking :-). In the meantime
> we'll just have to find and fix bugs as the occur, as normal.

I already did that for the removal of the #ifdef HAVE_ARCFOUR_HMAC_MD5.
I don't mind removing other special cases.

In particular we should make it clear in configure output that we are
missing features we want, so we don't silently miss features if the
tests are wrong (or don't cope with changes in the libs). 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list