credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
metze at samba.org
Fri Mar 3 11:12:11 UTC 2017
Am 03.03.2017 um 11:58 schrieb Stefan Metzmacher:
> Hi Alexander,
>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>> of Samba Python bindings in a privile separation mode provided by
>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
>> https://pagure.io/freeipa/issue/6671, Samba bug is
>> Please see more details in the commit message.
> Please have a look at
> for the reasons why we can't use gss_acquire_cred().
> There needs to be another solution, sorry.
As gss_acquire_cred_from() seems to be handled by gssproxy,
I guess we need a wrapper in lib/krb5_wrap/gss_samba.[ch]
that uses gss_acquire_cred_from() if available and
And that wrapper needs to be used everywhere we currently
use gss_krb5_import_cred(). It should also hide the mess
we currently use in gse_init_server() to work arround
the broken gss_krb5_import_cred() server side.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical