credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Stefan Metzmacher
metze at samba.org
Fri Mar 3 11:31:42 UTC 2017
Hi Alexander,
>>> Attached patch is needed for upcoming FreeIPA 4.5 release to allow use
>>> of Samba Python bindings in a privile separation mode provided by
>>> GSS-proxy (https://pagure.io/gssproxy). FreeIPA bug is here:
>>> https://pagure.io/freeipa/issue/6671, Samba bug is
>>> https://bugzilla.samba.org/show_bug.cgi?id=12611
>>>
>>> Please see more details in the commit message.
>>
>> Please have a look at
>> https://bugzilla.samba.org/show_bug.cgi?id=12480
>> for the reasons why we can't use gss_acquire_cred().
> Sorry Metze, but you are wrong in this particular case.
>
> We are using gss_acquire_cred() in a lot of other places -- source3 code
> uses GENSEC GSE module on server side through auth_generic_prepare()
> which priorities GENSEC GSE.
No we only use gss_acquire_cred() as a fallback in gse_init_server()
when gss_krb5_import_cred() has a bug importing a keytab.
Are you looking at an older relase? that doesn't have the #12480
patches?
> However, cli_credentials_get_client_gss_creds() is only called in two
> places:
>
> - gensec_gssapi_client_creds() in source4/auth/gensec/gensec_gssapi.c
> where it is called with default credentials cache. This is client side
> use of GENSEC with GSSAPI and never is called inside winbindd where it
> could stumble on MEMORY: ccaches.
Will operate on cli_credentials_get_client_gss_creds() in almost all cases
where we use kerberos, e.g. when the user didn't 'kinit' before
and passed a password.
See my other mail for the solution we can aim for.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170303/7d7a14d1/signature.sig>
More information about the samba-technical
mailing list