credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Alexander Bokovoy
ab at samba.org
Mon Mar 6 14:43:51 UTC 2017
On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> Hi Simo,
>
> >> Yes, and that's exactly what I want. We should do such things
> >> explicit
> >> in order to avoid unexpected magic depending on the used kerberos
> >> library.
> >
> > Can you explain what magic you refer to ?
> > What's your goal here ? Keep in mind that in MIT kerberos
> > gss_krb5_import_cred() is implemented by calling the acquire_cred paths
> > internally anyway, so the solution for any "magic" is likely the same
> > in either case.
>
> See https://bugzilla.samba.org/show_bug.cgi?id=12480, we need to
> pass an explicit krb5_ccache in order to avoid the ccselect
> magic, which is a security risk in our code. Therefore we need
> to call krb5_cc_resolve() ourself. As we don't want the
> library to choose any random ccache! Even if we want to use
> the default cache for one cli_credential struct, it doesn't
> mean we will only ever have one cli_credential in the current
> process.
With gss_acquire_cred_from() we don't need to call krb5_cc_resolve() as
you can pass information about specific ccache reference in the cred
store details. That's one of the improvements here.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list