On 2010-05-04 16:22, Stefan Sperling wrote: > On Tue, Mar 23, 2010 at 10:16:25PM +0100, Stefan Sperling wrote: > > On Tue, Mar 23, 2010 at 03:58:50PM -0500, Alec Kloss wrote: > > > Now please see attached. > > > > Thanks. I'll try to look at this soon. > > > > I've also downloaded a couple of related RFCs (e.g. RFC4422) for reference, > > as well as cyrus-sasl source code -- the binaries are already installed > > cause > > sendmail uses them, but I've never used SASL for anything other than smtp > > auth with sendmail, and that is pretty simple to set up. > > I've given this a look today. > > The SASL documentation mentions that cross-realm support depends on > the application, so your approach at solving the problem in Subversion > is correct. > > What worries me is that your patch to the SASL gssapi module is needed > to make use of cross-realm authentication with Kerberos. > It seems the SASL developers have not responded to your patch (at least > they did not respond publicly): > http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9372 > Do you have an idea about whether the patch will be applied to SASL? > > Is there any useful purpose for cross-realm authentication without > using Kerberos? If so, can you suggest a way for me to test this > without patching SASL? If not, I'd rather wait for your gssapi patch > to be included in SASL before adding support for this to Subversion. > We can't require all users to patch SASL... > > (The gssapi patch in the script you attached is reversed, BTW.)
Thanks for taking time to look. The GSSAPI patch to SASL is to work around issues with canonicalization of hostnames. It's only required for my test script to work; it is possible to make GSSAPI cross-realm work without it but requires either careful DNS configuration (ie. the dns name the client uses to access subversion must match what gethostname(2) returns on the machine running the Subversion server) or a bit of configuration to get the KDC to produce a "referral" for the correct name. As I recall, KDC referrals were added to heimdal in 1.3 (but only for the hdb datastore, not the ldap datastore). Generally speaking, even though Cyrus SASL hasn't uptaken the idea of using GSS_C_NO_NAME or a configurable service host name, the heimdal folks at least think something along those lines is a good idea. Sadly, I haven't seen much sign of life from Cyrus SASL lately. I'm happy to help try to set up a configuration that will demonstrate the issue without patching Cyrus SASL. It'll just require a "real" Kerberos realm to do it. -- alec.kl...@oracle.com Oracle Middleware PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBD1FF14
pgp5YHFdumQpB.pgp
Description: PGP signature
