Require MIT 1.10? (Re: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case)
Stefan Metzmacher
metze at samba.org
Wed Mar 8 15:31:03 UTC 2017
Hi Alexander,
> On ti, 07 maalis 2017, Stefan Metzmacher wrote:
>>>>> Sure, but if you want it to be backported to an official 4.6.x release
>>>>> they're needed.
>>>> Ok, got you.
>>> I slept a bit more on this topic and made following:
>>> - I integrated Simo's smb_gss_acquire_cred_from() wrapper
>>> - Moved smb_gss_krb5_import_cred() to use smb-gss_acquire_cred_from()
>>> - Changed gse server and client code to use smb_gss_acquire_cred_from()
>>> - Moved libads/sasl.c code to use smb_gss_acquire_cred_from()
>>> - Changed MIT krb5 require to 1.10
>>> - deprecated a fallback for gss_acquire_cred() in gse code.
>>> - backported all of this to 4.6
>>
>> If you want it backported to 4.6, make the simplest version that
>> works for you using smb_gss_krb5_import_cred(), where the
>> fallback for the broken gss_krb5_import_cred() is done within
>> smb_gss_krb5_import_cred(). Everything else is not acceptable for 4.6,
>> sorry.
>>
>> We should just discuss that simplest version *only* now. Once it's in master
>> and can be backported, we can think about gss_acquire_cred_from() for
>> master.
> I have reworked 4.6 backport to incorporate the fallback to
> smb_gss_krb5_import_cred() wrapper. The backport has no
> gss_acquire_cred_from() in the main code, only in a wrapper -- if it is
> available. The wrapper for the case when gss_acquire_cred_from() is not
> available still uses gss_krb5_import_cred() and gss_acquire_cred() --
> with a fallback to the latter in case we are setting up an acceptor
> without a keytab principal specifying.
>
> I haven't backported bumping requirements to MIT 1.10.
I've only looked at the 4.6 patchset as I'm a bit short on time.
I think you should create a bug report, add the BUG:, signed-off...
tags, including my review to the patches from
samba-v4.6-gss_krb5_import_cred.patch
These can be pushed to master, once they're in master we can cherry-pick -x
them and backport them.
For master we continue like this (in the following order):
- add the patch that changes the version to require 1.10
- remove the ugly fallback code from smb_gss_krb5_import_cred().
Then we can improve from there, ok?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170308/a5f7cd28/signature.sig>
More information about the samba-technical
mailing list