Samba3's fake GSSAPI and FreeBSD

simo idra at samba.org
Sun Sep 12 07:27:38 MDT 2010 

On Sun, 2010-09-12 at 16:06 +1000, Andrew Bartlett wrote:
> On Sat, 2010-09-11 at 19:05 -0700, Jeremy Allison wrote:
> > On Sat, Sep 11, 2010 at 07:01:16PM +1000, Andrew Bartlett wrote:
> > > 
> > > While the whole patch scares me (if we need to use real GSSAPI that
> > > badly, we should use GSSAPI, and stop faking it up)
> > 
> > History Andrew, history. I'm sure you remember it. At the
> > time no gssapi library did what we needed, so we had no choice.
> 
> Indeed, but poor relations we had with the Kerberos community 10 years
> ago no longer applies, and the APIs we were missing (the ability to get
> the session key for smb signing) have been available in released
> versions for quite some time now. 

Yes, and people is working on it, unless you have patches ready I do not
see what's the point of criticizing a fix and the code it applies to ...

> > > Perhaps we should perhaps have two simple defines:  HAVE_KRB5 and
> > > HAVE_MODERN_KRB5, with a switch between the two rather than testing for
> > > each function, and getting too many combinations.  We just can't test
> > > the number of variations at the moment.  
> > 
> > This is a good idea, but only if you are willing to spend the
> > time tracking down the calls and making the change. Else it's
> > an "unfunded mandate" (or wishful thinking :-). In the meantime
> > we'll just have to find and fix bugs as the occur, as normal.
> 
> I already did that for the removal of the #ifdef HAVE_ARCFOUR_HMAC_MD5.
> I don't mind removing other special cases.
> 
> In particular we should make it clear in configure output that we are
> missing features we want, so we don't silently miss features if the
> tests are wrong (or don't cope with changes in the libs). 

What we need is probably to require a much newer set of libs, but this
must be done carefully, because it may mean cutting out krb5 support on
platforms that could work with the manually hacked code we have.
It is a tradeoff, not to be taken lightly.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list