[gssproxy] cifs-utils, Linux cifs kernel client and gssproxy

Weiser, Michael michael.weiser at atos.net
Tue Oct 26 10:08:48 UTC 2021 

Hello Pavel,

I've now also had a chance to look at this in more detail. I've done a quick test and
everything still seems to work with the next branch.

> The only concern that I have is the compile warning below. Would
> appreciate it if you provide a fix for that.

FWIW: I do not get that warning either on Fedora 33 with gcc 10.3 and krb5-1.18.2-29.fc33
nor on Debian testing as of today with gcc 10.3 and krb5-1.18.3-7 nor on Gentoo
with gcc-11.2.0 and mit-krb5-1.19.2. But I do see that gssproxy has run into this as well and
solved it the same way. Looking at gssapi docs and source I do not see that we're doing
anything wrong here.

There's one minor additional change I found in my local branch switching from
(gss_OID)gss_nt_service_name to the more modern GSS_C_NT_HOSTBASED_SERVICE
in gss_import_name(). I've opened a PR on github. (Below as well but the groupware will
likely corrupt it.)

The old style bled over from an MIT krb5 example I based my initial trials on. The removed
cast might require another discard_const() now. Since I can't reproduce it, I'd leave that up
to you.

Author: Michael Weiser <michael.weiser at atos.net>
Date:   Tue Oct 26 11:11:48 2021 +0200

    cifs.upcall: switch to RFC principal type naming

    Switch from old-style MIT krb5 gss_nt_service_name principal type
    constant name to the now preferred GSS_C_NT_HOSTBASED_SERVICE.

    Signed-off-by: Michael Weiser <michael.weiser at atos.net>

diff --git a/cifs.upcall.c b/cifs.upcall.c
index e9c7f5f..f11bfa6 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -794,7 +794,7 @@ cifs_gss_get_req(const char *host, DATA_BLOB *mechtoken, DATA_BLOB *sess_key)
        target_name_buf.length = service_name_len;

        maj_stat = gss_import_name(&min_stat, &target_name_buf,
-                       (gss_OID)gss_nt_service_name, &target_name);
+                       GSS_C_NT_HOSTBASED_SERVICE, &target_name);
        free(service_name);
        if (GSS_ERROR(maj_stat)) {
                cifs_gss_display_status("gss_import_name", maj_stat, min_stat);
-- 
Thanks
Michael

More information about the samba-technical mailing list