credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Andrew Bartlett
abartlet at samba.org
Sat Mar 4 18:19:27 UTC 2017
On Sat, 2017-03-04 at 11:14 -0500, Simo wrote:
> On Fri, 2017-03-03 at 14:23 +0200, Alexander Bokovoy wrote:
> > > We almost never want to use the default cache!
> >
> > We do and we do use it in FreeIPA use case for last three years
> > without
> > any issues.
>
> Just a note on this subthread, you should use the default ccache ...
> by
> default!
>
> Nothing wrong in allowing to pass a non-default ccache, but that
> should
> not be the default behavior.
>
> It breaks expectations from programs using libraries. Programs expect
> libraries using kerberos to use the default ccache (by default) which
> they presumably initializied with the credentials they want to use or
> they expect to use "as is" because the user logged in with their own
> kerberos crendetials before running the program.
I've not read this whole thread, but this was one of the guiding
principles in the design of the cli_credentials mechanism. In the
absense of any other indication of what to use (eg a specified username
or password etc), the default credentials cache is what was wanted.
Now, I may be missing some subtle interactions that make this more
complex, but that was the idea.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list