Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Special ccache handling for {HOSTNAME} acceptor #238

Merged
merged 2 commits into from
Oct 15, 2020
Merged

Special ccache handling for {HOSTNAME} acceptor #238

merged 2 commits into from
Oct 15, 2020

Conversation

simo5
Copy link
Contributor

@simo5 simo5 commented Oct 14, 2020

Quoting part of a commit message in this PR:
When using the {HOTNAME} acceptor the principal used in the server
ccache can vary with each request. GSSAPI does not handle gracefully
a request to resolve a ccache if there is already another credential
under a different name.

Fixes #234

@simo5 simo5 mentioned this pull request Oct 14, 2020
Closed
@simo5
Copy link
Contributor Author

simo5 commented Oct 15, 2020

@frozencemetery I got confirmation that this solves the actual problem on #234, would be nice to review and merge.

frozencemetery
frozencemetery previously requested changes Oct 15, 2020
View reviewed changes
Copy link
Member

@frozencemetery frozencemetery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in commit message - "HOTNAME". 🔥

The rest is all nits - I'll clean it up in a moment.

src/mod_auth_gssapi.c Outdated Show resolved Hide resolved
src/mod_auth_gssapi.c Outdated Show resolved Hide resolved
src/mod_auth_gssapi.c Outdated Show resolved Hide resolved
src/mod_auth_gssapi.c Outdated Show resolved Hide resolved
src/mod_auth_gssapi.c Outdated Show resolved Hide resolved
tests/magtests.py Outdated Show resolved Hide resolved
tests/magtests.py Outdated Show resolved Hide resolved
@simo5 @frozencemetery
Add test that exercises S4u2Proxy code
f1952b7 
This test shows that currently GssapiAcceptor {HOSTNAME} option will
break the S4U2Proxy case.

Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: nits]
@simo5 @frozencemetery
Special ccache handling for {HOSTNAME} acceptor
5a6e6be 
This applies only to the case when GssapiS4U2Proxy is enabled.

When using the {HOSTNAME} acceptor, the principal used in the server
ccache can vary with each request. GSSAPI does not handle gracefully
a request to resolve a ccache if there is already another credential
under a different name. Even with ccache collections GSSAPI will
resolve an existing ccache from the collection if any is available and
throw an error if it does not match the desired_name. This even if
there is a client_keytab that could be used to initiate a new cache in
the collection with the right name.

Therefore in case GssapiAcceptor is set to the special value {HOSTNAME},
instead of using the provided ccache or the process default ccache we
create a new ccache named after the hostname in the delegated ccache
directory. This directory is required when the S4U2Proxy mode is enabled
so we are guaranteed to have it available an writable.

Signed-off-by: Simo Sorce <simo@redhat.com>
[rharwood@redhat.com: nits]
@simo5
Copy link
Contributor Author

simo5 commented Oct 15, 2020

Your changes look good to me

@simo5 simo5 merged commit a84b9a3 into gssapi:master Oct 15, 2020
@simo5 simo5 mentioned this pull request Dec 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frozencemetery frozencemetery frozencemetery left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Multiple keys and delegation
2 participants
@simo5 @frozencemetery