On 5 January 2018 at 09:35, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote: >> >> >> == Detailed Description == >> Replace older, clunkier, less user-friendly python interfaces to >> Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, >> which is widely standardized, implemented by both MIT and Heimdal >> Kerberos, and much more user-friendly. >> >> As part of this effort, python-requests-gssapi will be introduced to >> fedora to enable transition off of python-requests-kerberos (which >> requires pykerberos). Its package review (completed as of 2018-01-03) >> was rhbz#1527682 > > In affected components, presumably this should fix authentication to > services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP. > > If possible, it would be nice to include that fallback in any testing > that gets done. Note that python-requests-kerberos is a fairly common library used in the Windows managed by Ansible world. Although many use the basic ntlm auth the single sign on aspect of the Kerberos library is useful. There is a general transition to CredSSP recommended for windows Ansible users (which is somewhat waiting on me in Fedora... Christmas was busy... and only covers ntlm not kerberos at this time) but we will want to avoid dropping that for the time being or at least provide some guidance or a pull request for python-winrm to use python-requests-gssapi instead of (or in addition to) python-requests-kerberos. I've cc'd jborean as he's responsible for python-requests-credssp and should probably be aware of the the pykerberos -> python-gssapi stuff for his development activities. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
