[17184] in Kerberos_V5_Development
gss_pname_to_uid: is that the right interface
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Sep 20 15:01:06 2011
From: Sam Hartman <hartmans@mit.edu>
To: krbdev@mit.edu
Date: Tue, 20 Sep 2011 15:00:40 -0400
Message-ID: <tslvcsn6ntz.fsf@mit.edu>
MIME-Version: 1.0
Cc: lha@h5l.org, lukeh@padl.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
This interface has shipped in Heimdal, which limits our options.
We introduced a new interface that converts a GSS-API name resulting
from authentication to a uid. The interface was originally specified for
Solaris, where it is private.
I've noticed a couple of things about this:
1) it exposes uid_t in a GSSAPI interface, which is problematic for
Windows.
2) It's inconvenient. All the times I've wanted it I've ended up calling
getpwuid on the result. Except internally it's generally implemented in
terms of names. So, it adds a translation to/from uid that you don't
want.
3) I asked folks from Redhat (Simo mainly) whether the translation
to/from uid can cause problems. It can. SSSD may not yet have created
the account.
So, I wonder whether we'd be better off with
OM_uint32 gss_localname (gss_name t input_name, gss_buffer_t localname);
I realize that Heimdal is committed to the existing interface and for
portability MIT should ship the existing interface too. I also realize
my timing is horrible: this would have been a much more useful comment a
few months ago.
Never the less I'd like to ask for comments about what we should do
here.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
