Re: [spice-gtk] Support SASL GSSAPI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 06, 2016 at 09:01:10AM -0400, Marc-André Lureau wrote:
> Hi
> 
> ----- Original Message -----
> > I'm sending Alexander Bokovoy's patch as it is, also here is some notes from
> > him:
> > 
> > "I'd really like to find a way to do it with pure SASL properties so that the
> > code would work for both SPNEGO and Kerberos. SPNEGO NTLMSSP would make it
> > working for environments where you don't have Kerberos but what we have
> > right now should be fine for pure Kerberos environments like FreeIPA or
> > Active Directory."
> > 
> > And also his blog post:
> > https://vda.li/en/posts/2016/05/30/Single-sign-on-to-virtual-machines/
> > 
> > On one hand I think would be good to have this issue partially fixed (as per
> > Alexander's comment) for 0.32, on the other hand I don't like calling these
> > kerberos functions directly. Also, we probably would have to add a kerberos
> > check/option on configure, right? I can do that without any problems, but I
> > firstly would like to hear the opinions from other people in the project.
> 
> Yes, it will have to be optional (especially because compiling krb5 on mingw is *hard* - last time I checked)

Even compiling cryus-sasl is hard - indeed last I looked fedora didn't
have any mingw packages for it.

> 
> > I'm willing to re-work this patch after the release and try to find an ideal
> > solution (if possible) and also spend some more time digging into the
> > differences on handling this between gtk-vnc and spice-gtk.
> 
> From his blog, I gathered that it worked with gtk-vnc but not with
> spice-gtk. Why do we need krb specific code when gtk-vnc doesn't need it?

It looks like the code is trying to set a default username based on the
current kerberos credential the user has. gtk-vnc doesn't bother trying
todo this - the user just always has to supply the username explicitly
IMHO it would be fine for spice-gtk todo the same and avoid the krb dep/

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]