Require MIT 1.10? (Re: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case)
Stefan Metzmacher
metze at samba.org
Mon Mar 6 14:49:37 UTC 2017
Am 06.03.2017 um 15:45 schrieb Alexander Bokovoy:
> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>> Am 06.03.2017 um 12:16 schrieb Alexander Bokovoy:
>>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>>>> Hi Alexander,
>>>>
>>>>>>> ACK. Will do that.
>>>>>> I pushed current patchset to
>>>>>> https://git.samba.org/?p=ab/samba.git/.git;a=shortlog;h=refs/heads/master-gss_acquire_cred_from
>>>>>>
>>>>>> I'm running tests right now. Will submit final patch once they pass.
>>>>> Final patch is attached.
>>>>
>>>> I think we should also handle the keytab_principal argument
>>>> (or drop it from the argument list of the wrapper).
>>> This is done (attached). There is a need to use keytab_principal as it
>>> is passed by the credentials code.
>>>
>>>> And please also add the fallback logic for broken
>>>> of gse_init_server() to handle the broken gss_krb5_import_cred()
>>>> for the acceptor into the wrapper. And/or reseach if the fallback
>>>> logic is still needed with our requirement for MIT 1.9.
>>> For the latter, the code that broke gss_krb5_import_cred() in MIT 1.9
>>> was later fixed[1] with bd18687a705a8a6cdcb7c140764d1a7c6a3381b5
>>> and finally the whole code path was removed with
>>> 889d3ca4c482f730cd194f2d83c41d70bc615a67
>>>
>>> Both changes were released in MIT 1.10.
>>>
>>> RHEL 6 has MIT krb5 1.10.3. Ubuntu and Debian have 1.10 too, starting
>>> with Precise, that's 5 stable releases ago for Ubuntu, and Wheezy for
>>> Debian.
>>> https://packages.debian.org/search?keywords=krb5&searchon=sourcenames&suite=all§ion=all
>>>
>>> On FreeBSD we have at least MIT 1.13 since FreeBSD 8.4:
>>> http://portsmon.freebsd.org/portoverview.py?category=security&portname=krb5&wildcard=
>>>
>>> I think we can relatively safely drop MIT 1.9 and move to MIT 1.10 as a
>>> requirement. RHEL 5 stuck with 1.6 anyway.
>>
>> I'm fine to move to MIT 1.10, but I guess better only for master/4.7.
> Yes.
>
>> If you want this backported to 4.6:
>> - please at the fallback to the wrapper first
>> - then change the configure check to require 1.10
>> - remove the fallback
>>
>> If you don't need a backport:
>> - change the configure check to require 1.10
>> - remove the fallback
>> - apply your current patches
> I don't need a fallback in the backported code, actually, because the
> oldest release I need to backport already has 1.10.
So you'll keep the backport only in the RHEL packages?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170306/c0d43267/signature.sig>
More information about the samba-technical
mailing list