credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case

Stefan Metzmacher metze at
Fri Mar 3 11:12:11 UTC 2017

Am 03.03.2017 um 11:58 schrieb Stefan Metzmacher:
> Hi Alexander,
>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>> of Samba Python bindings in a privile separation mode provided by
>> GSS-proxy ( FreeIPA bug is here:
>>, Samba bug is
>> Please see more details in the commit message.
> Please have a look at
> for the reasons why we can't use gss_acquire_cred().
> There needs to be another solution, sorry.

As gss_acquire_cred_from() seems to be handled by gssproxy,
I guess we need a wrapper in lib/krb5_wrap/gss_samba.[ch]
that uses gss_acquire_cred_from() if available and
gss_krb5_import_cred() otherwise.

And that wrapper needs to be used everywhere we currently
use gss_krb5_import_cred(). It should also hide the mess
we currently use in gse_init_server() to work arround
the broken gss_krb5_import_cred() server side.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list