Require MIT 1.10? (Re: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case)

Alexander Bokovoy ab at samba.org
Mon Mar 6 15:18:42 UTC 2017 

On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> Am 06.03.2017 um 15:58 schrieb Alexander Bokovoy:
> > On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> >> Am 06.03.2017 um 15:45 schrieb Alexander Bokovoy:
> >>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> >>>> Am 06.03.2017 um 12:16 schrieb Alexander Bokovoy:
> >>>>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> >>>>>> Hi Alexander,
> >>>>>>
> >>>>>>>>> ACK. Will do that.
> >>>>>>>> I pushed current patchset to
> >>>>>>>> https://git.samba.org/?p=ab/samba.git/.git;a=shortlog;h=refs/heads/master-gss_acquire_cred_from
> >>>>>>>>
> >>>>>>>> I'm running tests right now. Will submit final patch once they pass.
> >>>>>>> Final patch is attached.
> >>>>>>
> >>>>>> I think we should also handle the keytab_principal argument
> >>>>>> (or drop it from the argument list of the wrapper).
> >>>>> This is done (attached). There is a need to use keytab_principal as it
> >>>>> is passed by the credentials code.
> >>>>>  
> >>>>>> And please also add the fallback logic for broken
> >>>>>> of gse_init_server() to handle the broken gss_krb5_import_cred()
> >>>>>> for the acceptor into the wrapper. And/or reseach if the fallback
> >>>>>> logic is still needed with our requirement for MIT 1.9.
> >>>>> For the latter, the code that broke gss_krb5_import_cred() in MIT 1.9
> >>>>> was later fixed[1] with bd18687a705a8a6cdcb7c140764d1a7c6a3381b5
> >>>>> and finally the whole code path was removed with
> >>>>> 889d3ca4c482f730cd194f2d83c41d70bc615a67
> >>>>>
> >>>>> Both changes were released in MIT 1.10.
> >>>>>
> >>>>> RHEL 6 has MIT krb5 1.10.3. Ubuntu and Debian have 1.10 too, starting
> >>>>> with Precise, that's 5 stable releases ago for Ubuntu, and Wheezy for
> >>>>> Debian.
> >>>>> https://packages.debian.org/search?keywords=krb5&searchon=sourcenames&suite=all&section=all
> >>>>>
> >>>>> On FreeBSD we have at least MIT 1.13 since FreeBSD 8.4:
> >>>>> http://portsmon.freebsd.org/portoverview.py?category=security&portname=krb5&wildcard=
> >>>>>
> >>>>> I think we can relatively safely drop MIT 1.9 and move to MIT 1.10 as a
> >>>>> requirement. RHEL 5 stuck with 1.6 anyway.
> >>>>
> >>>> I'm fine to move to MIT 1.10, but I guess better only for master/4.7.
> >>> Yes.
> >>>  
> >>>> If you want this backported to 4.6:
> >>>> - please at the fallback to the wrapper first
> >>>> - then change the configure check to require 1.10
> >>>> - remove the fallback
> >>>>
> >>>> If you don't need a backport:
> >>>> - change the configure check to require 1.10
> >>>> - remove the fallback
> >>>> - apply your current patches
> >>> I don't need a fallback in the backported code, actually, because the
> >>> oldest release I need to backport already has 1.10.
> >>
> >> So you'll keep the backport only in the RHEL packages?
> > I mean, environments where I need Samba 4.6 with this patch all have MIT
> > Krb5 >= 1.14 so introducing configure check and keeping fallback there
> > is not needed.
> 
> Sure, but if you want it to be backported to an official 4.6.x release
> they're needed.
Ok, got you.



-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list