s3:build: for now do not require gsskrb5_extract_authz_data_from_sec_context
Andrew Bartlett
abartlet at samba.org
Fri Jan 20 13:13:00 MST 2012
On Fri, 2012-01-20 at 20:24 +0100, Stefan Metzmacher wrote:
> s3:build: for now do not require
> gsskrb5_extract_authz_data_from_sec_context
Metze,
The issue here is that until the runtime check for a PAC, we do not know
simply because we have the gss_inquire_sec_context_by_oid function, that
the function will successfully return a PAC using the Heimdal OID.
We could look for a definition of that OID, but this is more messy, so I
used the heimdal-only function as a proxy indication, as I explain in
the waf rules (but seem to have missed explaining in the autoconf
rules).
If we do not have a replacement check, PAC validation will fail at
runtime, and we will fall back to whatever backup processing we have for
all incoming connections.
As our new minimum supported version (krb5 1.8, Heimdal 1.x) satisfies
the original check, we should avoid users accidentally hitting this at
runtime.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list