On Fri, 2018-01-05 at 10:10 +0000, James Hogarth wrote: > On 5 January 2018 at 09:35, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote: > > > > > > > > > == Detailed Description == > > > Replace older, clunkier, less user-friendly python interfaces to > > > Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface, > > > which is widely standardized, implemented by both MIT and Heimdal > > > Kerberos, and much more user-friendly. > > > > > > As part of this effort, python-requests-gssapi will be introduced to > > > fedora to enable transition off of python-requests-kerberos (which > > > requires pykerberos). Its package review (completed as of 2018-01-03) > > > was rhbz#1527682 > > > > In affected components, presumably this should fix authentication to > > services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP. > > > > If possible, it would be nice to include that fallback in any testing > > that gets done. > > > Note that python-requests-kerberos is a fairly common library used in > the Windows managed by Ansible world. > > Although many use the basic ntlm auth the single sign on aspect of the > Kerberos library is useful. > > There is a general transition to CredSSP recommended for windows > Ansible users (which is somewhat waiting on me in Fedora... Christmas > was busy... and only covers ntlm not kerberos at this time) but we > will want to avoid dropping that for the time being or at least > provide some guidance or a pull request for python-winrm to use > python-requests-gssapi instead of (or in addition to) > python-requests-kerberos. > > I've cc'd jborean as he's responsible for python-requests-credssp and > should probably be aware of the the pykerberos -> python-gssapi stuff > for his development activities. > Can we avoid using ntlm_auth in new packages and instead use gssapi with gss-ntlmssp ? Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
