On Dec 4, 2013, at 12:53 PM, Trond Myklebust <trondmy@xxxxxxxxx> wrote: > > On Dec 4, 2013, at 12:14, Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > >> >> On Dec 4, 2013, at 8:13 AM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote: >> >>> Btw, looks like librpcsecgss is indeed pretty much unmaintained. The >>> last upstream release is a tarball drop from CITI in 2009 and there >>> doesn't appear to be a source repository of any kind. >>> >>> I think the best idea would be to merge it into the libtirpc repo, >>> as both the heritage and usage of the codebases is the same. >> >> Comparing what's packaged in nfs-utils-lib and what's in libtirpc: it appears libtirpc already has librpcsecgss. > > It does? AFAICS a freshly cloned copy of libtirpc only contains the prehistoric krb4/DES implementation. I see no GSS library. I pulled from: git://git.infradead.org/~steved/libtirpc.git Yes, there's AUTH_DES support in libtirpc, and who knows if our implementation works. But I'm looking at tirpc/rpc/auth_gss.h. Both libraries provide roughly the same API. And I'm able to build a working GSS-enabled version of rpc.fedfsd and clients. "git log" tells me src/auth_gss.c and tirpc/rpc/auth_gss.h have been in libtirpc since at least 0.1.7. libtirpc applications currently have to link explicitly with libgssapi_krb5 (provided by MIT Kerberos), AFAICT, to get GSS support. I'd like to add support in libtirpc for dynamically loading libgssapi_krb5 when it is needed. Then applications would need only invoke rpc_gss_*() (or the legacy authgss_*() equivalent) to get RPCSECGSS, if libgssapi_krb5 is already installed on their system. > I thought the reason why we deprecated librpcsecgss was that the MIT Kerberos libraries now have the equivalent hooks. My understanding: MIT Kerberos provides libgssapi_krb5. libtirpc provides the RPCSEC APIs based on the Kerberos v5 mechanism provided in libgssapi_krb5. librpcsecgss provides RPCSEC APIs based on the GSSAPI Kerberos v5 mechanism provided in libgssglue, which is deprecated. -- Chuck Lever chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
