gss_pname_to_uid: is that the right interface

Sam Hartman hartmans at MIT.EDU
Tue Sep 20 15:00:40 EDT 2011

This interface has shipped in Heimdal, which limits our options.

We introduced a new interface that converts a GSS-API name resulting
from authentication to a uid. The interface was originally specified for
Solaris, where it is private.

I've noticed a couple of things about this:

1) it exposes uid_t in a GSSAPI interface, which is problematic for

2) It's inconvenient. All the times I've wanted it I've ended up calling
getpwuid on the result.  Except internally it's generally implemented in
terms of names. So, it  adds  a translation to/from uid that you don't

3) I asked folks from Redhat (Simo mainly) whether the translation
to/from uid can cause problems.  It can.  SSSD may not yet have created
the account.

So, I wonder whether we'd be better off with 

OM_uint32 gss_localname (gss_name t input_name, gss_buffer_t localname);

I realize that Heimdal is committed to the existing interface and for
portability MIT should ship the existing interface too.  I also realize
my timing is horrible: this would have been a much more useful comment a
few months ago.

Never the less I'd like to ask for comments about what we should do

More information about the krbdev mailing list