Replace gse_krb5 with gensec_gssapi for all our client code and, loadparm consolidation?

Andreas Schneider asn at
Fri Apr 30 09:46:18 UTC 2021

On Thursday, 29 April 2021 05:21:31 CEST Andrew Bartlett wrote:
> G'Day Andreas,

Hi Andrew,
> I've looked with great interest on your patches to unify our command
> line handling, and love the way the credentials system is being
> connected up everywhere.  It really brings a joy to me because I've
> long hoped for what you are now building.

the cli_credentials still need a lot of cleanup. There are function which 
should return a bool instead of void.

The machine_account_pending thing quite horrible and we should try to get rid 
of it rather sooner than later.

> One area where the credentials code is not able to be used to the full
> extent right now is in kerberos with an existing credentials cache,
> because the gse_krb5 code still polls for a username and password
> explicitly.  Yes, it can use a ccache, but only via a server-wide
> enviroment variable, not via the cli_credentials mechansim.
> So I wanted to suggest that we update auth_generic_client_prepare to
> use gensec_gssapi rather than gse_krb5.  This would use the code that
> already has a full connection between the cli_credentials layer and the
> GSS credentials layer.

gse_krb5 is only keytab handling. I think you mean just gse ;-) However I'm 
not sure if both implementations have the same feature set, but our tests 
should reveal that.

> Finally, take a look at this idea sometime:
> -for-global-python-loadparm
> For most of Samba, we pass down the cmdline_credentials (s4) or use the
> globals (s3).
> In python we do something similar, but often referring back to a magic
> global S4-style Loadparm object.
> It is currently a real pain use python code that is s3 based (eg the
> libsmb library) as you have to init an s3 loadparm otherwise is breaks
> horribly.
> As we work harder not to duplicate existing good code I came up with
> the approach that if we are going to have a global, it should be an s3
> loadparm instance, wrapped up.  That way things like '-d3' on the
> command line can still work.
> The same could be done on the C side with your command-line work, which
> might help further unify things.

The best would be to have just one loadparm implementation.



Andreas Schneider                      asn at
Samba Team                   
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list