[prev in list] [next in list] [prev in thread] [next in thread]
List: samba-technical
Subject: Re: Replace gse_krb5 with gensec_gssapi for all our client code and, loadparm consolidation?
From: Andreas Schneider via samba-technical <samba-technical () lists ! samba ! org>
Date: 2021-04-30 9:46:18
Message-ID: 4858303.TADPx3k1qC () magrathea
[Download RAW message or body]
On Thursday, 29 April 2021 05:21:31 CEST Andrew Bartlett wrote:
> G'Day Andreas,
Hi Andrew,
> I've looked with great interest on your patches to unify our command
> line handling, and love the way the credentials system is being
> connected up everywhere. It really brings a joy to me because I've
> long hoped for what you are now building.
the cli_credentials still need a lot of cleanup. There are function which
should return a bool instead of void.
The machine_account_pending thing quite horrible and we should try to get rid
of it rather sooner than later.
> One area where the credentials code is not able to be used to the full
> extent right now is in kerberos with an existing credentials cache,
> because the gse_krb5 code still polls for a username and password
> explicitly. Yes, it can use a ccache, but only via a server-wide
> enviroment variable, not via the cli_credentials mechansim.
>
> So I wanted to suggest that we update auth_generic_client_prepare to
> use gensec_gssapi rather than gse_krb5. This would use the code that
> already has a full connection between the cli_credentials layer and the
> GSS credentials layer.
gse_krb5 is only keytab handling. I think you mean just gse ;-) However I'm
not sure if both implementations have the same feature set, but our tests
should reveal that.
> Finally, take a look at this idea sometime:
> https://gitlab.com/samba-team/devel/samba/-/commits/abartlet/use-s3-loadparm
> -for-global-python-loadparm
>
> For most of Samba, we pass down the cmdline_credentials (s4) or use the
> globals (s3).
>
> In python we do something similar, but often referring back to a magic
> global S4-style Loadparm object.
>
> It is currently a real pain use python code that is s3 based (eg the
> libsmb library) as you have to init an s3 loadparm otherwise is breaks
> horribly.
>
> As we work harder not to duplicate existing good code I came up with
> the approach that if we are going to have a global, it should be an s3
> loadparm instance, wrapped up. That way things like '-d3' on the
> command line can still work.
>
> The same could be done on the C side with your command-line work, which
> might help further unify things.
The best would be to have just one loadparm implementation.
Cheers
Andreas
--
Andreas Schneider asn@samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic