credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Stefan Metzmacher
metze at samba.org
Fri Mar 3 11:12:11 UTC 2017
Am 03.03.2017 um 11:58 schrieb Stefan Metzmacher:
> Hi Alexander,
>
>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>> of Samba Python bindings in a privile separation mode provided by
>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
>> https://pagure.io/freeipa/issue/6671, Samba bug is
>> https://bugzilla.samba.org/show_bug.cgi?id=12611
>>
>> Please see more details in the commit message.
>
> Please have a look at
> https://bugzilla.samba.org/show_bug.cgi?id=12480
> for the reasons why we can't use gss_acquire_cred().
>
> There needs to be another solution, sorry.
As gss_acquire_cred_from() seems to be handled by gssproxy,
I guess we need a wrapper in lib/krb5_wrap/gss_samba.[ch]
that uses gss_acquire_cred_from() if available and
gss_krb5_import_cred() otherwise.
And that wrapper needs to be used everywhere we currently
use gss_krb5_import_cred(). It should also hide the mess
we currently use in gse_init_server() to work arround
the broken gss_krb5_import_cred() server side.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170303/042bb078/signature.sig>
More information about the samba-technical
mailing list