Require MIT 1.10? (Re: credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case)
Alexander Bokovoy
ab at samba.org
Wed Mar 8 15:37:57 UTC 2017
On ke, 08 maalis 2017, Stefan Metzmacher wrote:
> Hi Alexander,
>
> > On ti, 07 maalis 2017, Stefan Metzmacher wrote:
> >>>>> Sure, but if you want it to be backported to an official 4.6.x release
> >>>>> they're needed.
> >>>> Ok, got you.
> >>> I slept a bit more on this topic and made following:
> >>> - I integrated Simo's smb_gss_acquire_cred_from() wrapper
> >>> - Moved smb_gss_krb5_import_cred() to use smb-gss_acquire_cred_from()
> >>> - Changed gse server and client code to use smb_gss_acquire_cred_from()
> >>> - Moved libads/sasl.c code to use smb_gss_acquire_cred_from()
> >>> - Changed MIT krb5 require to 1.10
> >>> - deprecated a fallback for gss_acquire_cred() in gse code.
> >>> - backported all of this to 4.6
> >>
> >> If you want it backported to 4.6, make the simplest version that
> >> works for you using smb_gss_krb5_import_cred(), where the
> >> fallback for the broken gss_krb5_import_cred() is done within
> >> smb_gss_krb5_import_cred(). Everything else is not acceptable for 4.6,
> >> sorry.
> >>
> >> We should just discuss that simplest version *only* now. Once it's in master
> >> and can be backported, we can think about gss_acquire_cred_from() for
> >> master.
> > I have reworked 4.6 backport to incorporate the fallback to
> > smb_gss_krb5_import_cred() wrapper. The backport has no
> > gss_acquire_cred_from() in the main code, only in a wrapper -- if it is
> > available. The wrapper for the case when gss_acquire_cred_from() is not
> > available still uses gss_krb5_import_cred() and gss_acquire_cred() --
> > with a fallback to the latter in case we are setting up an acceptor
> > without a keytab principal specifying.
> >
> > I haven't backported bumping requirements to MIT 1.10.
>
> I've only looked at the 4.6 patchset as I'm a bit short on time.
> I think you should create a bug report, add the BUG:, signed-off...
> tags, including my review to the patches from
> samba-v4.6-gss_krb5_import_cred.patch
>
> These can be pushed to master, once they're in master we can cherry-pick -x
> them and backport them.
>
> For master we continue like this (in the following order):
> - add the patch that changes the version to require 1.10
> - remove the ugly fallback code from smb_gss_krb5_import_cred().
>
> Then we can improve from there, ok?
Ok. I have already opened the bug
https://bugzilla.samba.org/show_bug.cgi?id=12611 and will reuse it for
the first part of this work.
I also tested them with 4.5.5 on F25 and FreeIPA git master with
gssproxy 0.7.0, all works fine for my use case.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list