Release Meeting Minutes/2011-02-01
From K5Wiki
Greg Hudson, Zhanna Tsitkova, Thomas Hardjono, Sam Hartman, Simo Sorce, Will Fiveash
GSS errors
- Greg
- Arlene Berry sent a bug [krbdev.mit.edu #6848] re gss errors. mapped errors. want error hdrs installed.
- Sam
- app developers want to be able to check for specific error codes
- Sam
- would have taken ctx param to display_status
- Greg
- avoid mapping error codes?
Acceptor names
- Greg
- We want to help the state where you're setting up sshd and it's not looking for the right principal in the keytab. This is mainly targeted at gss acceptors. Don't try to guess realm; just try to look for service name. Also possibly add a profile variable to ignore what hostname the app passes in.
- Sam
- This falls directly out of a discussion we've had with Roland a couple months ago. He proposed the environment variable approach. I don't think we should take env var. Maybe use profile instead.
- Greg
- Another idea, when you import service and host, we fwd/rev canon. So there are 3 hostnames - orig, fwd, rev... try all 3. (srv) acquire_cred could check for principal in keytab, error if not found. Record in the gss mechanism name object all 3 names.
- Sam
- I argue we should reduce the number things of DNS things we're doing. We don't want to be encouraging people to depend on it by introducing better behavior in that case.
- Greg
- None of this will work unless the client can determine a correct name to use. Client will do fwd and/or rev canon using DNS (srv uses hosts file). adds complexity, but is a big usability issue.
- Sam
- Simon's already added a patch (to sshd) to import null name.
- Greg
- but you have to turn it on. It's common to turn on gss auth, but leave strict acceptor check on (default) and lose.
- Sam
- It's more important to make importing "host" work better than to do explicit iteration.
- Greg
- can't per-realm unless you know srv realm
- Sam
- I meant per-realm in terms of client realm... if client sees local realm has bit set for "understand referrals". In the common case, go to KDC and request what user asked for.
- Greg
- One problem is sn2princ has no idea what's in the ccache.
- Sam
- One big change that will help in the import path: save original input away before canonicalizing.
- Simo
- What if you get back something that doesn't resemble what you've asked for.
- Sam
- w2k has that problem but that's one reason Microsoft stopped doing it.
- Greg
- We cache twice, once with realm and once without.
- Greg
- What about unqualified hostnames?
- Sam
- We can add static (search domain) suffix. If using AD for KDC, DNS, DHCP you're ok. otherwise you can lose.
Documentation
- Sam
- I have one big technical issue. Having 1 tool for API documentation makes a lot more sense than 2 tools. Having a full page of documentation (per function), or a lengthy example in the header is probably excessive. Doxygen allows a separate file for additional documentation.
- Sam
- for devs, contributing doxygen docs will be easier. agree you want a different tool for non-api doc.
- Zhanna
- initial thought was separation of data from tools. database with entries. when someone wants to create customized doc, grab from
database and compile doc.
- Sam
- want simplicity. single tool per type of doc is simpler.
- Zhanna
- I found rst really simple.
- Sam
- rst and doxy about the same complexity. when you have 1 tool trying to feed into another, you add significant complexity. krb doc has doc needs similar to everyone else, so shd adopt soln similar to others.
- Sam
- I will work with you to make sure examples etc in separate files from header work.
- Sam
- process point... similar proposal on krbdev a few months ago. got fairly negative comments from me ken et al. willing to work to resolve objections.
- Sam
- why not link directly from other docs to doxygen intead of going to rst translation of doxygen?
- Zhanna
- community can decide if translated doxygen doesn't work
- Zhanna
- asked many times. list of tasks to document.
- Will
- just responded to your mail, got a bounce. will ask team, get back to you.
- Zhanna
- troubleshooting, error msgs, diagnostics.
Acceptor names
- Greg
- ignore_acceptor_name .. was going to enforce at name import. would be first time krb5 mech looks at the profile.
- Sam
- would expect that var to apply to non-gss uses of lib.
- Greg
- we don't know whether sn2princ...
- Sam
- tradeoff there. both options have ugliness.
Misc.
- Simo
- short q. trying to rebase samba4 backend. previously able to build. now require k5-int.h.
- Greg
- should be kdb.h, not kdb5.h. you may have found a problem. may need to shuffle things around so you can write a module w/o kdb5.h.
- Simo
- reading fns like kdb_check_allowed_deleg_req....
- Greg
- db_invoke? was split out into separate fns.
- Greg
- only kdb header we install is kdb.h. ideally should be able to build only with install tree.