credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Alexander Bokovoy
ab at samba.org
Fri Mar 3 11:26:30 UTC 2017
On pe, 03 maalis 2017, Stefan Metzmacher wrote:
> Am 03.03.2017 um 11:58 schrieb Stefan Metzmacher:
> > Hi Alexander,
> >
> >> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
> >> of Samba Python bindings in a privile separation mode provided by
> >> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
> >> https://pagure.io/freeipa/issue/6671, Samba bug is
> >> https://bugzilla.samba.org/show_bug.cgi?id=12611
> >>
> >> Please see more details in the commit message.
> >
> > Please have a look at
> > https://bugzilla.samba.org/show_bug.cgi?id=12480
> > for the reasons why we can't use gss_acquire_cred().
> >
> > There needs to be another solution, sorry.
>
> As gss_acquire_cred_from() seems to be handled by gssproxy,
> I guess we need a wrapper in lib/krb5_wrap/gss_samba.[ch]
> that uses gss_acquire_cred_from() if available and
> gss_krb5_import_cred() otherwise.
>
> And that wrapper needs to be used everywhere we currently
> use gss_krb5_import_cred(). It should also hide the mess
> we currently use in gse_init_server() to work arround
> the broken gss_krb5_import_cred() server side.
That was my initial idea but the problem here is that we deal with it
differently in different contexts. In client context we use GSSAPI creds
while in other places we use KRB5 ccache handle.
This particular code path is isolated from other use of
gss_krb5_import_cred(). And it does not need to specify explicit
credential cache because it is running in a client context and expects
to use the default ccache.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list