Require MIT 1.10? (Re: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case)

Stefan Metzmacher metze at samba.org
Tue Mar 7 15:37:42 UTC 2017 

Am 07.03.2017 um 12:45 schrieb Alexander Bokovoy:
> On ma, 06 maalis 2017, Alexander Bokovoy wrote:
>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>>> Am 06.03.2017 um 15:58 schrieb Alexander Bokovoy:
>>>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>>>>> Am 06.03.2017 um 15:45 schrieb Alexander Bokovoy:
>>>>>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>>>>>>> Am 06.03.2017 um 12:16 schrieb Alexander Bokovoy:
>>>>>>>> On ma, 06 maalis 2017, Stefan Metzmacher wrote:
>>>>>>>>> Hi Alexander,
>>>>>>>>>
>>>>>>>>>>>> ACK. Will do that.
>>>>>>>>>>> I pushed current patchset to
>>>>>>>>>>> https://git.samba.org/?p=ab/samba.git/.git;a=shortlog;h=refs/heads/master-gss_acquire_cred_from
>>>>>>>>>>>
>>>>>>>>>>> I'm running tests right now. Will submit final patch once they pass.
>>>>>>>>>> Final patch is attached.
>>>>>>>>>
>>>>>>>>> I think we should also handle the keytab_principal argument
>>>>>>>>> (or drop it from the argument list of the wrapper).
>>>>>>>> This is done (attached). There is a need to use keytab_principal as it
>>>>>>>> is passed by the credentials code.
>>>>>>>>  
>>>>>>>>> And please also add the fallback logic for broken
>>>>>>>>> of gse_init_server() to handle the broken gss_krb5_import_cred()
>>>>>>>>> for the acceptor into the wrapper. And/or reseach if the fallback
>>>>>>>>> logic is still needed with our requirement for MIT 1.9.
>>>>>>>> For the latter, the code that broke gss_krb5_import_cred() in MIT 1.9
>>>>>>>> was later fixed[1] with bd18687a705a8a6cdcb7c140764d1a7c6a3381b5
>>>>>>>> and finally the whole code path was removed with
>>>>>>>> 889d3ca4c482f730cd194f2d83c41d70bc615a67
>>>>>>>>
>>>>>>>> Both changes were released in MIT 1.10.
>>>>>>>>
>>>>>>>> RHEL 6 has MIT krb5 1.10.3. Ubuntu and Debian have 1.10 too, starting
>>>>>>>> with Precise, that's 5 stable releases ago for Ubuntu, and Wheezy for
>>>>>>>> Debian.
>>>>>>>> https://packages.debian.org/search?keywords=krb5&searchon=sourcenames&suite=all&section=all
>>>>>>>>
>>>>>>>> On FreeBSD we have at least MIT 1.13 since FreeBSD 8.4:
>>>>>>>> http://portsmon.freebsd.org/portoverview.py?category=security&portname=krb5&wildcard=
>>>>>>>>
>>>>>>>> I think we can relatively safely drop MIT 1.9 and move to MIT 1.10 as a
>>>>>>>> requirement. RHEL 5 stuck with 1.6 anyway.
>>>>>>>
>>>>>>> I'm fine to move to MIT 1.10, but I guess better only for master/4.7.
>>>>>> Yes.
>>>>>>  
>>>>>>> If you want this backported to 4.6:
>>>>>>> - please at the fallback to the wrapper first
>>>>>>> - then change the configure check to require 1.10
>>>>>>> - remove the fallback
>>>>>>>
>>>>>>> If you don't need a backport:
>>>>>>> - change the configure check to require 1.10
>>>>>>> - remove the fallback
>>>>>>> - apply your current patches
>>>>>> I don't need a fallback in the backported code, actually, because the
>>>>>> oldest release I need to backport already has 1.10.
>>>>>
>>>>> So you'll keep the backport only in the RHEL packages?
>>>> I mean, environments where I need Samba 4.6 with this patch all have MIT
>>>> Krb5 >= 1.14 so introducing configure check and keeping fallback there
>>>> is not needed.
>>>
>>> Sure, but if you want it to be backported to an official 4.6.x release
>>> they're needed.
>> Ok, got you.
> I slept a bit more on this topic and made following:
>  - I integrated Simo's smb_gss_acquire_cred_from() wrapper
>  - Moved smb_gss_krb5_import_cred() to use smb-gss_acquire_cred_from()
>  - Changed gse server and client code to use smb_gss_acquire_cred_from()
>  - Moved libads/sasl.c code to use smb_gss_acquire_cred_from()
>  - Changed MIT krb5 require to 1.10
>  - deprecated a fallback for gss_acquire_cred() in gse code.
>  - backported all of this to 4.6

If you want it backported to 4.6, make the simplest version that
works for you using smb_gss_krb5_import_cred(), where the
fallback for the broken gss_krb5_import_cred() is done within
smb_gss_krb5_import_cred(). Everything else is not acceptable for 4.6,
sorry.

We should just discuss that simplest version *only* now. Once it's in master
and can be backported, we can think about gss_acquire_cred_from() for
master.

> Now we only have auth/credentials/credentials_krb5.c using
> smb_gss_krb5_import_cred() wrapper with explicit ccache handles.
> On MIT krb5 1.10 or later all code paths lead to gss_acquire_cred_from().

gss_acquire_cred_from() is available from 1.11

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170307/2081fc09/signature.sig>

More information about the samba-technical mailing list