logo_kerberos.gif

Release Meeting Minutes/2012-05-15

From K5Wiki
Jump to: navigation, search


Shawn Emery, Thomas Hardjono, Simo Sorce, Tom Yu

Git migration

Tom
Git migration done, mostly. Some infrastructure not quite migrated yet. (older autobuild, nightly snapshots)
Shawn
History?
Tom
All there for trunk. Some branches are hard to convert, so not converted. Trunk history back to ~1987.
Shawn
Good to have the history.

Authorization

Shawn
Problem of disparate configurations of authorization maps. auth_to_local. regexps. .k5login file. New authorization data. Trust groups. Checksum. Trust group strength. File on KDC with memberships. Maybe also mappings to local users. Also cross-realm stuff. Customers complaining about configuring auth_to_local rules in a non-centralized way.
Simo
CAMMAC / PAD drafts?
Shawn
...thought it was more POSIX specific.
Simo
Not just group name and GID. Maybe netgroups.
Shawn
Or ticket flag that indicates that the KDC verified that some client has access.
Simo
Why not non-issue?... Can have multiple types of group names. Could have a trust group type in PAD. Probably will add some non-POSIX group types to PAD. Host-based access controls etc to avoid extra lookups.
Shawn
auth_to_local_mapping? Multicomponent username. Alias case. POSIX username might not intersect Kerberos username.
Tom
Plugins.
Shawn
auth_to_local. kuserok. Keep application servers from having to change. gss_userok (private) Want to stay with those to help migrations.

Mechglue

Simo
Seeing a problem with one main usage... privilege separation. Fall back to original once session key established. Proxy can tell mechglue to convert to underlying. union_name would need to know what form actual internal name. union name has interposer's name. Want to pass real mech the real name. Simplest way is if mechglue is aware of interposer.
Tom
SPNEGO has same problems. Just continues to wrap every mech call.
Simo
No context, so no way to "flip a switch" to tell API to use the underlying. Application provides actual mech name, so mechglue has only original mech OID. need OID for interposing mech.

Some talk about using an OID prefix to indicate the interposer.