logo_kerberos.gif

Release Meeting Minutes/2011-02-01

From K5Wiki
Jump to: navigation, search


Greg Hudson, Zhanna Tsitkova, Thomas Hardjono, Sam Hartman, Simo Sorce, Will Fiveash

GSS errors

Greg
Arlene Berry sent a bug [krbdev.mit.edu #6848] re gss errors. mapped errors. want error hdrs installed.
Sam
app developers want to be able to check for specific error codes
Sam
would have taken ctx param to display_status
Greg
avoid mapping error codes?

Acceptor names

Greg
We want to help the state where you're setting up sshd and it's not looking for the right principal in the keytab. This is mainly targeted at gss acceptors. Don't try to guess realm; just try to look for service name. Also possibly add a profile variable to ignore what hostname the app passes in.
Sam
This falls directly out of a discussion we've had with Roland a couple months ago. He proposed the environment variable approach. I don't think we should take env var. Maybe use profile instead.
Greg
Another idea, when you import service and host, we fwd/rev canon. So there are 3 hostnames - orig, fwd, rev... try all 3. (srv) acquire_cred could check for principal in keytab, error if not found. Record in the gss mechanism name object all 3 names.
Sam
I argue we should reduce the number things of DNS things we're doing. We don't want to be encouraging people to depend on it by introducing better behavior in that case.
Greg
None of this will work unless the client can determine a correct name to use. Client will do fwd and/or rev canon using DNS (srv uses hosts file). adds complexity, but is a big usability issue.
Sam
Simon's already added a patch (to sshd) to import null name.
Greg
but you have to turn it on. It's common to turn on gss auth, but leave strict acceptor check on (default) and lose.
Sam
It's more important to make importing "host" work better than to do explicit iteration.
Greg
can't per-realm unless you know srv realm
Sam
I meant per-realm in terms of client realm... if client sees local realm has bit set for "understand referrals". In the common case, go to KDC and request what user asked for.
Greg
One problem is sn2princ has no idea what's in the ccache.
Sam
One big change that will help in the import path: save original input away before canonicalizing.
Simo
What if you get back something that doesn't resemble what you've asked for.
Sam
w2k has that problem but that's one reason Microsoft stopped doing it.
Greg
We cache twice, once with realm and once without.
Greg
What about unqualified hostnames?
Sam
We can add static (search domain) suffix. If using AD for KDC, DNS, DHCP you're ok. otherwise you can lose.

Documentation

Sam
I have one big technical issue. Having 1 tool for API documentation makes a lot more sense than 2 tools. Having a full page of documentation (per function), or a lengthy example in the header is probably excessive. Doxygen allows a separate file for additional documentation.
Sam
for devs, contributing doxygen docs will be easier. agree you want a different tool for non-api doc.
Zhanna
initial thought was separation of data from tools. database with entries. when someone wants to create customized doc, grab from

database and compile doc.

Sam
want simplicity. single tool per type of doc is simpler.
Zhanna
I found rst really simple.
Sam
rst and doxy about the same complexity. when you have 1 tool trying to feed into another, you add significant complexity. krb doc has doc needs similar to everyone else, so shd adopt soln similar to others.
Sam
I will work with you to make sure examples etc in separate files from header work.
Sam
process point... similar proposal on krbdev a few months ago. got fairly negative comments from me ken et al. willing to work to resolve objections.
Sam
why not link directly from other docs to doxygen intead of going to rst translation of doxygen?
Zhanna
community can decide if translated doxygen doesn't work
Zhanna
asked many times. list of tasks to document.
Will
just responded to your mail, got a bounce. will ask team, get back to you.
Zhanna
troubleshooting, error msgs, diagnostics.

Acceptor names

Greg
ignore_acceptor_name .. was going to enforce at name import. would be first time krb5 mech looks at the profile.
Sam
would expect that var to apply to non-gss uses of lib.
Greg
we don't know whether sn2princ...
Sam
tradeoff there. both options have ugliness.

Misc.

Simo
short q. trying to rebase samba4 backend. previously able to build. now require k5-int.h.
Greg
should be kdb.h, not kdb5.h. you may have found a problem. may need to shuffle things around so you can write a module w/o kdb5.h.
Simo
reading fns like kdb_check_allowed_deleg_req....
Greg
db_invoke? was split out into separate fns.
Greg
only kdb header we install is kdb.h. ideally should be able to build only with install tree.