credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case

Simo simo at samba.org
Mon Mar 6 15:34:09 UTC 2017


On Mon, 2017-03-06 at 13:16 +0200, Alexander Bokovoy wrote:
> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
> > Hi Alexander,
> > 
> > > > > ACK. Will do that.
> > > > 
> > > > I pushed current patchset to
> > > > https://git.samba.org/?p=ab/samba.git/.git;a=shortlog;h=refs/he
> > > > ads/master-gss_acquire_cred_from
> > > > 
> > > > I'm running tests right now. Will submit final patch once they
> > > > pass.
> > > 
> > > Final patch is attached.
> > 
> > I think we should also handle the keytab_principal argument
> > (or drop it from the argument list of the wrapper).
> 
> This is done (attached). There is a need to use keytab_principal as
> it
> is passed by the credentials code.

FWIW, ack to this patchset, I have gone a little further with mine and
it requires more changes to the callers than I want to introduce right
now, so lets go with this approach that is easier to integrate in the
current code.

HTH,
Simo.

> > And please also add the fallback logic for broken
> > of gse_init_server() to handle the broken gss_krb5_import_cred()
> > for the acceptor into the wrapper. And/or reseach if the fallback
> > logic is still needed with our requirement for MIT 1.9.
> 
> For the latter, the code that broke gss_krb5_import_cred() in MIT 1.9
> was later fixed[1] with bd18687a705a8a6cdcb7c140764d1a7c6a3381b5
> and finally the whole code path was removed with
> 889d3ca4c482f730cd194f2d83c41d70bc615a67
> 
> Both changes were released in MIT 1.10.
> 
> RHEL 6 has MIT krb5 1.10.3. Ubuntu and Debian have 1.10 too, starting
> with Precise, that's 5 stable releases ago for Ubuntu, and Wheezy for
> Debian.
> https://packages.debian.org/search?keywords=krb5&searchon=sourcenames
> &suite=all&section=all
> 
> On FreeBSD we have at least MIT 1.13 since FreeBSD 8.4:
> http://portsmon.freebsd.org/portoverview.py?category=security&portnam
> e=krb5&wildcard=
> 
> I think we can relatively safely drop MIT 1.9 and move to MIT 1.10 as
> a
> requirement. RHEL 5 stuck with 1.6 anyway.
> 
> [1] See Greg's answer to Andrew about broken code in 2011:
> https://lists.samba.org/archive/samba-technical/2011-July/078635.html
> 




More information about the samba-technical mailing list