credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Alexander Bokovoy
ab at samba.org
Fri Mar 3 11:24:11 UTC 2017
On pe, 03 maalis 2017, Stefan Metzmacher wrote:
> Hi Alexander,
>
> > Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
> > of Samba Python bindings in a privile separation mode provided by
> > GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
> > https://pagure.io/freeipa/issue/6671, Samba bug is
> > https://bugzilla.samba.org/show_bug.cgi?id=12611
> >
> > Please see more details in the commit message.
>
> Please have a look at
> https://bugzilla.samba.org/show_bug.cgi?id=12480
> for the reasons why we can't use gss_acquire_cred().
Sorry Metze, but you are wrong in this particular case.
We are using gss_acquire_cred() in a lot of other places -- source3 code
uses GENSEC GSE module on server side through auth_generic_prepare()
which priorities GENSEC GSE.
However, cli_credentials_get_client_gss_creds() is only called in two
places:
- gensec_gssapi_client_creds() in source4/auth/gensec/gensec_gssapi.c
where it is called with default credentials cache. This is client side
use of GENSEC with GSSAPI and never is called inside winbindd where it
could stumble on MEMORY: ccaches.
- auth_session_info_transport_from_session() in source/auth/session.c
which is only called from source4/ntvfs/ipc/vfs_ipc.c. This code is
not compiled in for system-provided MIT Kerberos or when we are built
without AD DC.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list