Replace gse_krb5 with gensec_gssapi for all our client code and, loadparm consolidation?

Andrew Bartlett abartlet at samba.org
Thu Apr 29 03:21:31 UTC 2021 

G'Day Andreas,

I've looked with great interest on your patches to unify our command
line handling, and love the way the credentials system is being
connected up everywhere.  It really brings a joy to me because I've
long hoped for what you are now building.

One area where the credentials code is not able to be used to the full
extent right now is in kerberos with an existing credentials cache,
because the gse_krb5 code still polls for a username and password
explicitly.  Yes, it can use a ccache, but only via a server-wide
enviroment variable, not via the cli_credentials mechansim.

So I wanted to suggest that we update auth_generic_client_prepare to
use gensec_gssapi rather than gse_krb5.  This would use the code that
already has a full connection between the cli_credentials layer and the
GSS credentials layer.

Most of the special case code in gse_krb5 is on the server side
(handling keytabs for the various keytab arrangements permitted on the
file serve) so this shouldn't be a big change, but would mean we use
the command-line specified ccache better.

Anyway, just wanted to let you know.

Finally, take a look at this idea sometime:
https://gitlab.com/samba-team/devel/samba/-/commits/abartlet/use-s3-loadparm-for-global-python-loadparm

For most of Samba, we pass down the cmdline_credentials (s4) or use the
globals (s3).  

In python we do something similar, but often referring back to a magic
global S4-style Loadparm object. 

It is currently a real pain use python code that is s3 based (eg the
libsmb library) as you have to init an s3 loadparm otherwise is breaks
horribly.

As we work harder not to duplicate existing good code I came up with
the approach that if we are going to have a global, it should be an s3
loadparm instance, wrapped up.  That way things like '-d3' on the
command line can still work.

The same could be done on the C side with your command-line work, which
might help further unify things.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba-technical mailing list