On Fri, 10 Jun 2016, Pavel Grunt wrote:
> How does it affect info about auth failure provided by
> spice_channel_failed_authentication() ?
If c->auth_needs_username is set, spice_channel_failed_authentication()
will tell that a username is required. This is certainly true -- if SASL
GSSAPI failed, username/password are indeed required. So it wouldn't be
a problem, at least from my reading of the code and tests with spicy
tool.
However, there is a problem with cases like virt-manager which assumes
there is only a password per channel required and never shows you a
request to enter username in case of SASL GSSAPI failure. When you enter
a password, the underlying code would complain that username is missing
but no way to enter username would be provided. This is virt-manager's
issue
Is there a bug ?
No, now I'm not able to reproduce it when SASL GSSAPI is fixed.
Do you want a bug for the case when you don't have a valid ticket in the
ccache?
(not related to the patch - it would be nice to rewrite/clean up the "SASL" part
of spice-channel.c)
There could be a bit of clean up but the main auth code is correct.
I would perhaps added support to optionally allow TGT delegation but we
would need it only once we would build up a channel to sign in into a
VM so that TGT could be forwarded into a VM's ccache.
--
/ Alexander Bokovoy
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel