Replace gse_krb5 with gensec_gssapi for all our client code and, loadparm consolidation?
asn at samba.org
Fri Apr 30 09:46:18 UTC 2021
On Thursday, 29 April 2021 05:21:31 CEST Andrew Bartlett wrote:
> G'Day Andreas,
> I've looked with great interest on your patches to unify our command
> line handling, and love the way the credentials system is being
> connected up everywhere. It really brings a joy to me because I've
> long hoped for what you are now building.
the cli_credentials still need a lot of cleanup. There are function which
should return a bool instead of void.
The machine_account_pending thing quite horrible and we should try to get rid
of it rather sooner than later.
> One area where the credentials code is not able to be used to the full
> extent right now is in kerberos with an existing credentials cache,
> because the gse_krb5 code still polls for a username and password
> explicitly. Yes, it can use a ccache, but only via a server-wide
> enviroment variable, not via the cli_credentials mechansim.
> So I wanted to suggest that we update auth_generic_client_prepare to
> use gensec_gssapi rather than gse_krb5. This would use the code that
> already has a full connection between the cli_credentials layer and the
> GSS credentials layer.
gse_krb5 is only keytab handling. I think you mean just gse ;-) However I'm
not sure if both implementations have the same feature set, but our tests
should reveal that.
> Finally, take a look at this idea sometime:
> For most of Samba, we pass down the cmdline_credentials (s4) or use the
> globals (s3).
> In python we do something similar, but often referring back to a magic
> global S4-style Loadparm object.
> It is currently a real pain use python code that is s3 based (eg the
> libsmb library) as you have to init an s3 loadparm otherwise is breaks
> As we work harder not to duplicate existing good code I came up with
> the approach that if we are going to have a global, it should be an s3
> loadparm instance, wrapped up. That way things like '-d3' on the
> command line can still work.
> The same could be done on the C side with your command-line work, which
> might help further unify things.
The best would be to have just one loadparm implementation.
Andreas Schneider asn at samba.org
Samba Team www.samba.org
More information about the samba-technical